CVE-2024-31313 – This vulnerability in Android's Fast Message Qu... (How to Fix)

Q: What is the severity of CVE-2024-31313?

CVE-2024-31313 has a CVSS score of 7.8 (HIGH). This vulnerability in Android's Fast Message Queue (FMQ) library allows an out-of-bounds write due to incorrect bounds checking in the availableToWriteBytes function. It enables local privilege escalation without requiring user interaction or additional execution privileges. Affected systems include Android devices running vulnerable versions of the libfmq library.

📋 TL;DR

This vulnerability in Android's Fast Message Queue (FMQ) library allows an out-of-bounds write due to incorrect bounds checking in the availableToWriteBytes function. It enables local privilege escalation without requiring user interaction or additional execution privileges. Affected systems include Android devices running vulnerable versions of the libfmq library.

💻 Affected Systems

Products:

Android devices using Fast Message Queue (FMQ) library

Versions: Android versions prior to the June 2024 security patch

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using the vulnerable libfmq library version. The vulnerability is in the system/libfmq component.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through local privilege escalation to root/system-level access, potentially leading to complete device control, data theft, or installation of persistent malware.

🟠

Likely Case

Local attacker gains elevated privileges to access sensitive data, modify system settings, or install malicious applications without user consent.

🟢

If Mitigated

Limited impact with proper security controls like SELinux, app sandboxing, and timely patching preventing successful exploitation.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring local access to the device, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Malicious apps or users with local access can exploit this to escalate privileges without user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access but no user interaction. The vulnerability is in a system library used for inter-process communication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android June 2024 security patch or later

Vendor Advisory: https://source.android.com/security/bulletin/2024-06-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install the June 2024 or later security patch. 3. Reboot the device after installation.

🔧 Temporary Workarounds

Restrict local app installations

android

Prevent installation of untrusted applications that could exploit this vulnerability

adb shell settings put secure install_non_market_apps 0

🧯 If You Can't Patch

Implement strict application allowlisting to prevent untrusted apps from running
Enable enhanced security features like SELinux and app sandboxing to limit impact

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version > Security patch level. If before June 2024, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows June 2024 or later. Check that the libfmq library has been updated to version containing commit 79bbf4aeef4b254c52da670a972e22956c8c659d.

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts in system logs
SELinux denials related to libfmq or FMQ operations
Abnormal process behavior indicating out-of-bounds memory access

Network Indicators:

No direct network indicators as this is a local vulnerability

SIEM Query:

source="android_system_logs" AND (event="privilege_escalation" OR event="selinux_denial") AND process="*fmq*"

📊 Metadata

CVE ID: CVE-2024-31313

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: July 9, 2024

Last Updated: December 17, 2024

🔗 References

https://android.googlesource.com/platform/system/libfmq/+/79bbf4aeef4b254c52da670a972e22956c8c659d Mailing List,Patch
https://source.android.com/security/bulletin/2024-06-01 Patch,Vendor Advisory
https://android.googlesource.com/platform/system/libfmq/+/79bbf4aeef4b254c52da670a972e22956c8c659d Mailing List,Patch
https://source.android.com/security/bulletin/2024-06-01 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31313, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Android by Google

Android by Google

Android by Google

Android by Google

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local app installations

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities