CVE-2024-25985 – CVE-2024-25985 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2024-25985?

CVE-2024-25985 has a CVSS score of 8.4 (HIGH). CVE-2024-25985 is a use-after-free vulnerability in the bigo_unlocked_ioctl function of bigo.c that allows local privilege escalation without requiring user interaction. This affects Android devices with vulnerable kernel drivers, particularly Google Pixel devices. Attackers can exploit this to gain root privileges on compromised devices.

📋 TL;DR

CVE-2024-25985 is a use-after-free vulnerability in the bigo_unlocked_ioctl function of bigo.c that allows local privilege escalation without requiring user interaction. This affects Android devices with vulnerable kernel drivers, particularly Google Pixel devices. Attackers can exploit this to gain root privileges on compromised devices.

💻 Affected Systems

Products:

Google Pixel devices
Android devices with vulnerable bigo kernel driver

Versions: Android versions prior to March 2024 security patch

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects devices with the bigo kernel driver enabled. Google Pixel devices are confirmed affected.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise with root access, allowing installation of persistent malware, data theft, and complete control over the device.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to sensitive data and system resources on compromised devices.

🟢

If Mitigated

Limited impact if SELinux/AppArmor policies restrict ioctl operations or if the vulnerable driver is not loaded.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device.

🏢 Internal Only: HIGH - Malicious apps or compromised user accounts can exploit this to gain elevated privileges on affected devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of kernel memory layout. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2024 Android security patch or later

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2024-03-01

Restart Required: Yes

Instructions:

1. Apply March 2024 Android security patch from Google. 2. For Pixel devices: Settings > System > System update > Check for update. 3. For other Android devices: Check with manufacturer for security patch availability. 4. Reboot device after update.

🔧 Temporary Workarounds

Disable bigo kernel module

linux

Prevent loading of the vulnerable bigo kernel driver

echo 'blacklist bigo' >> /etc/modprobe.d/blacklist.conf
rmmod bigo

Restrict ioctl permissions

linux

Use SELinux/AppArmor to restrict ioctl operations on bigo device

# SELinux: Add policy to deny bigo ioctl
# AppArmor: Add deny rule for /dev/bigo ioctl

🧯 If You Can't Patch

Implement strict application sandboxing and privilege separation
Monitor for suspicious privilege escalation attempts and kernel module loading

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level: Settings > About phone > Android version > Build number. If before March 2024, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows March 2024 or later. Check if bigo kernel module is still loaded: 'lsmod | grep bigo' should return empty.

📡 Detection & Monitoring

Log Indicators:

Kernel logs showing use-after-free errors
SELinux/AppArmor denials for bigo ioctl operations
Unexpected privilege escalation events

Network Indicators:

None - this is a local vulnerability

SIEM Query:

source="kernel" AND ("use-after-free" OR "UAF") AND "bigo"

📊 Metadata

CVE ID: CVE-2024-25985

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: March 11, 2024

Last Updated: April 3, 2025

🔗 References

https://source.android.com/security/bulletin/pixel/2024-03-01 Vendor Advisory
https://source.android.com/security/bulletin/pixel/2024-03-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25985, you might also want to check these: