π€ Google Project Zero researcher uncovers Zero-Click Zero-Day exploit targeting Samsung devices.
CVE-2024-49415: Security flaw impacting Monkey’s Audio (APE) decoder on Samsung smartphones that could lead to code execution.
Out-of-bounds write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code.
https://security.samsungmobile.com/securityUpdate.smsb
The function saped_rec in libsaped.so writes to a dmabuf allocated by the C2 media service, which always appears to have size 0x120000.
https://project-zero.issues.chromium.org/issues/368695689
https://thehackernews.com/2025/01/google-project-zero-researcher-uncovers.html