Impact
The vulnerability is an out‑of‑bounds write in the Android Modem subsystem caused by a missing bounds check. This flaw permits an attacker to overwrite arbitrary memory, leading to remote code execution without needing additional privileges. It is classified under CWE‑120 and CWE‑787, indicating a classic buffer overflow and buffer overread/overwrite condition. The consequences are total compromise of confidentiality, integrity, and availability of the affected device, since no user interaction is required and the fault can be triggered remotely.
Affected Systems
The affected platform is Android as supplied by Google. No specific product or version information is provided, so all Android devices with the vulnerable Modem implementation are potentially impacted until a formal patch is deployed. The issue manifests in the Modem code path that handles external modem commands.
Risk and Exploitability
The CVSS score of 8.8 flags this flaw as high‑severity. The EPSS score is less than 1 % indicating that, while the theoretical risk is significant, current data suggest a low probability of exploitation in the wild. This vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via network interfaces that communicate with the modem, as the description states that no user interaction is required for exploitation. Exploitation would require an attacker capable of interacting with the device’s modem control protocol, which is typically exposed over local or cellular channels.
OpenCVE Enrichment