Google researchers confirm critical flaw in Samsung S24, S23
Take action: If you are using a Samsung S series device - especially if you are using S23 or S24, you need to patch it now to latest security update. Just activate the update, read a book for an hour.
Learn More
Google researchers confirm a significant vulnerability in Samsung Galaxy devices, affecting the S23 and S24 models.
The flaw is tracked as CVE-2024-49415, (CVSS score 8.1) - Out-of-bounds write vulnerability in the Monkey's Audio (APE) decoder. It exposes potential remote code execution through RCS message audio transcription in Samsung's transcription service and audio processing
The issue occurs when the transcription service processes incoming audio attachments before user interaction. The bug allows writing up to three times the intended data size (0x120000) into a dmabuf allocated by the C2 media service, potentially leading to memory corruption.
It's a zero-click vulnerability, meaning it can be exploited without any user interaction when Google Messages is configured for RCS (the default setting). An attacker could potentially combine this with other vulnerabilities to plant malware or exfiltrate data.
Affected Devices:
- Confirmed: Samsung Galaxy S23 and S24
- Other models: Testing status not disclosed
Mitigation: The vulnerability was patched in Samsung's December 2024 security update. Users are strongly advised to:
- Check their current security patch level
- Install the December update if not already applied
- Enable automatic security updates where possible
