CVE-2024-29786 Overview
CVE-2024-29786 is an out-of-bounds write vulnerability in the pktproc_fill_data_addr_without_bm function within link_rx_pktproc.c on Google Android. The flaw stems from a missing bounds check during packet processing in the cellular modem packet receive path. Attackers can trigger remote code execution over the network without user interaction and without holding any prior privileges. Google addressed the issue in the Android Security Bulletin - June 2024. The weakness is classified under [CWE-787] (Out-of-bounds Write).
Critical Impact
Remote attackers can achieve code execution on affected Android devices with no user interaction, enabling silent device compromise from the network.
Affected Products
- Google Android (Pixel devices, June 2024 security patch level and earlier)
- The vulnerable component resides in the link_rx_pktproc packet processor used by the cellular modem driver
- Devices that had not applied the June 2024 Pixel security update
Discovery Timeline
- 2024-06-13 - CVE-2024-29786 published to the National Vulnerability Database
- 2024-06-01 - Google releases fix in the Android Security Bulletin (Pixel) for June 2024
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-29786
Vulnerability Analysis
The vulnerability resides in pktproc_fill_data_addr_without_bm, a routine in link_rx_pktproc.c responsible for populating packet data addresses in the receive path without using a buffer manager. The function writes data to a destination buffer but omits a required boundary check on the size or index used during the write operation. An attacker who can deliver crafted packets reaching this code path can write beyond the allocated buffer, corrupting adjacent kernel memory. Because the affected code executes in a privileged context within the modem-to-application processor data path, successful exploitation yields remote code execution. The advisory states no additional execution privileges and no user interaction are required.
Root Cause
The root cause is a missing bounds check [CWE-787] in pktproc_fill_data_addr_without_bm. The function trusts attacker-influenced length or index values when filling packet data addresses, allowing the write offset to exceed the destination buffer.
Attack Vector
The attack vector is network-based with low complexity. An attacker delivers a malformed packet that traverses the cellular link receive pipeline, reaching the vulnerable packet processor. Because user interaction is not required, exploitation can occur silently against any device with an active radio interface processing the crafted input.
Vulnerability mechanism (prose description - no verified PoC available):
function pktproc_fill_data_addr_without_bm(queue):
// Attacker-influenced length or descriptor index is consumed
// without validating it against the destination buffer size.
// The write past the buffer boundary corrupts adjacent memory,
// producing an exploitable out-of-bounds write condition.
Detection Methods for CVE-2024-29786
Indicators of Compromise
- Unexpected modem or rmnet driver crashes and kernel panics referencing link_rx_pktproc or pktproc_fill_data_addr_without_bm in logcat or dmesg output.
- Devices reporting a security patch level earlier than 2024-06-01 while operating on untrusted cellular networks.
- Anomalous radio interface restarts coinciding with inbound traffic from unknown peers.
Detection Strategies
- Inventory mobile fleets to identify Android and Pixel devices whose security patch level predates June 2024.
- Monitor mobile device management (MDM) compliance reports for missing June 2024 Android security updates.
- Correlate device crash telemetry referencing the cellular packet processor with network exposure events.
Monitoring Recommendations
- Track Android security patch level attestation through MDM and conditional access policies.
- Forward device crash and tombstone data to a central log platform for analysis of modem-related faults.
- Watch for vendor updates to the Android Security Bulletin covering the link_rx_pktproc component.
How to Mitigate CVE-2024-29786
Immediate Actions Required
- Apply the June 2024 Pixel security patch (2024-06-01 patch level) or any later Android security update on all affected devices.
- Enforce MDM compliance rules that block corporate access for devices below the 2024-06-01 patch level.
- Prioritize patching for devices that connect to untrusted or roaming cellular networks.
Patch Information
Google published the fix in the Android Security Bulletin - June 2024. Devices with a security patch level of 2024-06-01 or later contain the bounds check correction in pktproc_fill_data_addr_without_bm. Pixel users should install the June 2024 over-the-air update; OEM-specific Android builds receive the fix through their vendor's patch rollout.
Workarounds
- No officially documented workaround exists; applying the vendor patch is the supported remediation.
- As a temporary risk reduction, restrict use of affected unpatched devices on untrusted cellular networks.
- Disable cellular data on vulnerable devices where feasible until the update is installed.
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2024-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
