CVE-2024-49415

The vulnerable software is Samsung's Monkey's Audio (APE) decoder, used in Samsung smartphones running Android versions 12, 13, and 14. The vulnerability is a high-severity out-of-bounds write flaw that allows remote attackers to execute arbitrary code on the device without any user interaction. This is a zero-click vulnerability, meaning that attackers can exploit it without the user having to click on anything. The vulnerability is exploited through a specially crafted audio file sent via Google Messages on RCS-enabled devices, such as the Galaxy S23 and S24. A proof-of-concept (PoC) for the vulnerability has been released, and Samsung has issued a security update to patch the flaw. Users are advised to update their devices to the latest software version, SMR Dec-2024 Release 1, to fix the vulnerability. It is estimated that millions of devices are at risk due to this vulnerability. The vulnerable versions are prior to SMR Dec-2024 Release 1. #Samsung #Android #MonkeyAudio #GoogleProjectZero #Cybersecurity #ZeroClickVulnerability #RCS #GalaxyS23 #GalaxyS24