CVE-2024-29746 – CVE-2024-29746 is an out-of-bounds write vulner... (How to Fix)

Q: What is the severity of CVE-2024-29746?

CVE-2024-29746 has a CVSS score of 8.4 (HIGH). CVE-2024-29746 is an out-of-bounds write vulnerability in the lpm_req_handler function of lpm.c in Android's kernel. This allows local attackers to escalate privileges without user interaction or additional execution privileges. The vulnerability affects Google Pixel devices running vulnerable Android versions.

📋 TL;DR

CVE-2024-29746 is an out-of-bounds write vulnerability in the lpm_req_handler function of lpm.c in Android's kernel. This allows local attackers to escalate privileges without user interaction or additional execution privileges. The vulnerability affects Google Pixel devices running vulnerable Android versions.

💻 Affected Systems

Products:

Google Pixel devices

Versions: Android versions prior to April 2024 security patch

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects Pixel devices; other Android devices may be affected if using similar kernel code.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, allowing installation of persistent malware, data theft, and device control.

🟠

Likely Case

Local privilege escalation enabling unauthorized access to sensitive data and system functions.

🟢

If Mitigated

Minimal impact if patched; unpatched devices remain vulnerable to local attackers.

🌐 Internet-Facing: LOW (requires local access, not remotely exploitable)

🏢 Internal Only: HIGH (local attackers can exploit without authentication)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access but no user interaction; kernel vulnerabilities often attract exploit development.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: April 2024 Android security patch level

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2024-04-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > System update. 2. Install April 2024 security patch. 3. Reboot device.

🔧 Temporary Workarounds

No effective workarounds

all

Kernel vulnerabilities typically require patching; no configuration changes mitigate this vulnerability.

🧯 If You Can't Patch

Restrict physical access to devices
Implement strict application control to prevent malicious apps

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version > Security patch level. If before April 2024, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows 'April 5, 2024' or later in Settings > About phone.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Unexpected privilege escalation attempts in audit logs

Network Indicators:

None (local exploit only)

SIEM Query:

Search for kernel panic events or unexpected root access on Android devices.

📊 Metadata

CVE ID: CVE-2024-29746

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 5, 2024

Last Updated: June 17, 2025

🔗 References

https://source.android.com/security/bulletin/pixel/2024-04-01 Vendor Advisory
https://source.android.com/security/bulletin/pixel/2024-04-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29746, you might also want to check these: