Impact
The vulnerability is an out-of-bounds write in the lwis_io_buffer.c module of Android, caused by memory corruption within the lwis_io_buffer_write function. This flaw can allow a local attacker to overwrite memory arbitrarily, potentially leading to execution of arbitrary code with system privileges. No user interaction is required for exploitation, which means any user with access to the device could trigger this escalation.
Affected Systems
The affected product is the Android operating system distributed by Google. Specific version information is not provided in the CVE data, so the vulnerability may exist in any recent Android release that includes the vulnerable lwis_io_buffer implementation.
Risk and Exploitability
The CVSS score of 7.8 indicates a high severity level for privilege escalation. The EPSS score of less than 1% suggests that current exploitation activity is extremely low. The vulnerability is not listed in the CISA KEV catalog, implying no publicly known large-scale exploitation. The likely attack vector is local, as the flaw requires direct access to the device or a trusted local process to trigger the buffer write. Given the high impact and local nature, the risk to affected users remains significant until the flaw is remediated.
OpenCVE Enrichment