CVE-2024-29745

CVSS 5.5 MEDIUMEPSS 0.5%● KEVCWE-908

Vexday Risk Score

43Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 5.5EPSS 0.5%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

04 Apr 2024Active exploitation (CISA KEV)

05 Apr 2024Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

In short

A part of the system doesn't properly clean up data in memory before using it, which can leak private information to unauthorized users on the same device. No special access or user action is needed for this to happen.

Technical detail

Uninitialized memory buffer is accessed before being set to safe values, allowing local attackers to read sensitive data without elevated privileges or user interaction. This is a classic information disclosure vulnerability where residual data from previous operations remains accessible.

Summary generated and translated by AI from the official description.

there is a possible Information Disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

Google · Android

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://source.android.com/security/bulletin/pixel/2024-04-01 https://twitter.com/GrapheneOS/status/1775306481622995226 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-29745