CVE-2024-38271

Denial of Service in Quick Share

Description

There exists a vulnerability in Quick Share/Nearby, where an attacker can force a victim to stay connected to a temporary hotspot created for the sharing. As part of the sequence of packets in a Quick Share connection over Bluetooth, the attacker forces the victim to connect to the attacker’s WiFi network and then sends an OfflineFrame that crashes Quick Share. This makes the Wifi connection to the attacker’s network last, instead of returning to the old network when the Quick Share session completes, allowing the attacker to be a MiTM. We recommend upgrading to version 1.0.1724.0 of Quick Share or above

Category

5.9
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.05%
Affected: Google Nearby
Published at:
Updated at:

References

Link Tags
https://github.com/google/nearby/pull/2433 patch issue tracking
https://github.com/google/nearby/pull/2435 patch issue tracking
https://github.com/google/nearby/pull/2589 patch issue tracking
https://github.com/google/nearby/pull/2402 patch issue tracking

Frequently Asked Questions

What is the severity of CVE-2024-38271?
CVE-2024-38271 has been scored as a medium severity vulnerability.
How to fix CVE-2024-38271?
To fix CVE-2024-38271, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-38271 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-38271 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-38271?
CVE-2024-38271 affects Google Nearby.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.