CVE-2024-29745: Android Information Disclosure Vulnerability

CVE-2024-29745 Overview

CVE-2024-29745 is an information disclosure vulnerability in Google Android caused by the use of uninitialized memory [CWE-908]. A local attacker with low privileges can read sensitive data left in uninitialized memory regions, leading to local information disclosure without user interaction. The vulnerability has been confirmed as exploited in the wild and is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. GrapheneOS publicly disclosed that forensic tooling was leveraging the flaw against firmware unlock states on Pixel devices. Google addressed the issue in the April 2024 Android Security Bulletin.

Critical Impact

Local attackers can extract sensitive uninitialized memory contents from Android devices, enabling forensic data recovery against locked or rebooted devices.

Affected Products

• Google Android (Pixel firmware as referenced in the April 2024 Pixel Security Bulletin)
• Devices running affected Android builds prior to the April 2024 security patch level
• Forensic-targeted Android firmware unlock states impacted per GrapheneOS disclosure

Discovery Timeline

• 2024-04-05 - CVE-2024-29745 published to the National Vulnerability Database
• April 2024 - Google releases security patch via the Android Security Bulletin for Pixel
• 2025-10-24 - Last updated in NVD database

Technical Details for CVE-2024-29745

Vulnerability Analysis

The vulnerability is an information disclosure flaw caused by uninitialized memory use, classified under [CWE-908]. When affected Android components allocate memory buffers without properly initializing them, residual data from prior allocations remains accessible. A local process with limited privileges can read these buffers and recover sensitive content the operating system did not intend to expose.

GrapheneOS reported that the issue affected the firmware unlock state on Pixel devices, where forensic tools could exploit uninitialized memory to extract sensitive data from devices in Before First Unlock (BFU) and After First Unlock (AFU) states. The flaw does not require user interaction and does not depend on elevated privileges, making it attractive for forensic extraction workflows operating on seized devices.

Root Cause

The root cause is improper initialization of memory regions before they are read or returned to a caller. Affected code paths allocate buffers and pass them to consumers without zeroing or fully populating the contents. Sensitive data left in memory from prior operations becomes readable through these uninitialized regions. Refer to the Android Security Bulletin for the specific component and patch references.

Attack Vector

Exploitation requires local access to the device and a low-privileged execution context. An attacker triggers the vulnerable code path and reads the returned buffer to harvest residual memory contents. In the documented forensic scenario, attackers used the flaw against devices recovered in a locked state to read material that should have been inaccessible without authentication.

No verified public exploit code is published. The vulnerability mechanism is described in the GrapheneOS disclosure and the Android Security Bulletin April 2024.

Detection Methods for CVE-2024-29745

Indicators of Compromise

• Unexpected access to Android devices in BFU or AFU states by forensic tooling without authorized custody chains
• Anomalous local process activity reading kernel or driver buffers on Pixel devices below the April 2024 patch level
• Devices reporting a security patch level earlier than 2024-04-05 after expected updates

Detection Strategies

• Audit fleet security patch levels and flag Android devices not reporting the April 2024 or later patch string
• Monitor mobile device management (MDM) compliance reports for Pixel devices remaining on vulnerable firmware
• Correlate device check-in telemetry with the CISA KEV remediation deadline for CVE-2024-29745

Monitoring Recommendations

• Enforce attestation checks that validate the Android security patch level on enrolled devices
• Alert on lost or stolen Pixel devices that remain unpatched and may be subject to forensic extraction
• Track threat intelligence references to forensic tooling abusing Android uninitialized memory flaws

How to Mitigate CVE-2024-29745

Immediate Actions Required

• Apply the April 2024 Android security patch or later to all Pixel and affected Android devices
• Verify the device reports a security patch level of 2024-04-05 or later under Settings > About phone
• Prioritize remediation per the CISA KEV catalog timeline, since the vulnerability is confirmed exploited in the wild
• Power down high-risk devices when unattended to keep them in the more protected BFU state

Patch Information

Google published the fix in the April 2024 Android Security Bulletin for Pixel. Administrators should consult the Android Security Bulletin April 2024 for the component patch references and ensure all managed devices ingest the corresponding OTA update. CISA tracks remediation requirements under the CISA Known Exploited Vulnerabilities Catalog.

Workarounds

• Keep devices powered off when not in use to maintain the Before First Unlock state, reducing forensic exposure
• Enforce strong screen-lock credentials and disable USB data transfer in the locked state via MDM policy
• Restrict installation of untrusted local applications that could invoke the vulnerable code path
• Decommission and securely wipe Pixel devices that cannot receive the April 2024 patch

# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output: 2024-04-05 or later