Use-After-Free Vulnerability in Device Memory Management of Android by Google
CVE-2024-34748

8.4HIGH

Key Information:

Vendor: Google
Status: Android
Vendor: CVE Published:; 28 January 2025

What is CVE-2024-34748?

A vulnerability has been identified in the device memory management component of Android, specifically within the 'DevmemXReservationPageAddress' function of 'devicemem_server.c'. This flaw arises from improper casting, leading to a potential use-after-free condition that allows local escalation of privilege within the kernel environment. The exploitation of this vulnerability does not require any additional execution privileges or user interaction, posing significant security risks for affected devices.

Affected Version(s)

Android Android SoC

References

https://source.android.com/security/bulletin/2024-10-01

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 28, 2025
Vulnerability Reserved
May 7, 2024