Impact
An out‑of‑bounds write in the Android modem subsystem allows an attacker to overwrite memory locations outside the intended buffer. The flaw is caused by a missing bounds check and can be exploited without elevating privileges or needing user interaction, meaning any malicious payload injected through the modem interface can execute arbitrary code. The vulnerability is classified as CWE‑119, indicating a classic buffer overrun problem with potentially severe confidentiality, integrity, and availability implications for the device.
Affected Systems
The affected party is the Android operating system, as developed by Google. No specific device models or software version numbers are listed in this advisory, so any Android installation that includes the unpatched modem component is potentially vulnerable.
Risk and Exploitability
The CVSS score of 8.8 marks this flaw as high severity, while the EPSS score of <1% suggests it is currently rarely exploited in the wild. The flaw is not listed in CISA’s KEV catalog. Based on the description, the attacker likely targets the modem’s communication interface—such as cellular or Wi‑Fi networks—since user interaction is not required. If an attacker can send crafted data to the modem, they can trigger the out‑of‑bounds write and gain remote code execution on the device.
OpenCVE Enrichment