January 11, 2025 at 02:09PM

🀍 Google Project Zero researcher uncovers Zero-Click Zero-Day exploit targeting Samsung devices.

CVE-2024-49415: Security flaw impacting Monkey’s Audio (APE) decoder on Samsung smartphones that could lead to code execution.

Out-of-bounds write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code.

https://security.samsungmobile.com/securityUpdate.smsb

The function saped_rec in libsaped.so writes to a dmabuf allocated by the C2 media service, which always appears to have size 0x120000.

https://project-zero.issues.chromium.org/issues/368695689

https://thehackernews.com/2025/01/google-project-zero-researcher-uncovers.html