CVE-2024-47034 – CVE-2024-47034 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2024-47034?

CVE-2024-47034 has a CVSS score of 5.5 (MEDIUM). CVE-2024-47034 is an out-of-bounds read vulnerability in Android that allows local attackers to read memory beyond allocated buffers without requiring user interaction or elevated privileges. This could disclose sensitive information from the device's memory. The vulnerability affects Google Pixel devices running specific Android versions.

📋 TL;DR

CVE-2024-47034 is an out-of-bounds read vulnerability in Android that allows local attackers to read memory beyond allocated buffers without requiring user interaction or elevated privileges. This could disclose sensitive information from the device's memory. The vulnerability affects Google Pixel devices running specific Android versions.

💻 Affected Systems

Products:

Google Pixel devices

Versions: Android versions prior to the October 2024 security update

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices that haven't applied the October 2024 Android security update. Requires local access to the device.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could read sensitive information from device memory, potentially exposing authentication tokens, encryption keys, or other protected data.

🟠

Likely Case

Local information disclosure of non-critical system data or application memory contents.

🟢

If Mitigated

Minimal impact if proper security updates are applied and device isolation controls are in place.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring physical or local network access to the device.

🏢 Internal Only: MEDIUM - Malicious apps or users with local access could exploit this to gather information about the device.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access to the device. No user interaction needed once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2024 Android security update

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2024-10-01

Restart Required: Yes

Instructions:

1. Go to Settings > System > System update on your Pixel device. 2. Check for and install the October 2024 security update. 3. Restart the device after installation completes.

🔧 Temporary Workarounds

Restrict local access

all

Limit physical and network access to vulnerable devices to reduce attack surface

🧯 If You Can't Patch

Isolate vulnerable devices from untrusted networks and users
Implement application sandboxing and privilege separation to limit potential information disclosure

🔍 How to Verify

Check if Vulnerable:

Check Android version and security patch level in Settings > About phone > Android version

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows 'October 5, 2024' or later in Settings > About phone

📡 Detection & Monitoring

Log Indicators:

Unusual memory access patterns in system logs
Process crashes related to memory bounds violations

Network Indicators:

Not applicable - local vulnerability

SIEM Query:

Not applicable for network detection - focus on endpoint monitoring for unusual process behavior

📊 Metadata

CVE ID: CVE-2024-47034

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-125

Published: October 25, 2024

Last Updated: October 28, 2024

🔗 References

https://source.android.com/security/bulletin/pixel/2024-10-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47034, you might also want to check these: