CVE-2024-47039 – This vulnerability in Android's BootControl com... (How to Fix)

Q: What is the severity of CVE-2024-47039?

CVE-2024-47039 has a CVSS score of 5.5 (MEDIUM). This vulnerability in Android's BootControl component allows local attackers to read memory beyond intended boundaries without requiring privileges or user interaction. It affects Android devices, particularly Google Pixel phones, potentially exposing sensitive system information.

📋 TL;DR

This vulnerability in Android's BootControl component allows local attackers to read memory beyond intended boundaries without requiring privileges or user interaction. It affects Android devices, particularly Google Pixel phones, potentially exposing sensitive system information.

💻 Affected Systems

Products:

Google Pixel phones
Android devices using affected BootControl implementation

Versions: Android versions prior to November 2024 security patch

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the BootControl component in Android's bootloader/verified boot implementation.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could read sensitive system memory contents, potentially exposing cryptographic keys, authentication tokens, or other protected data stored in adjacent memory regions.

🟠

Likely Case

Local information disclosure of boot-related data or adjacent memory contents, which could aid in further exploitation attempts.

🟢

If Mitigated

Limited impact with proper memory isolation and minimal sensitive data in affected memory regions.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring physical or local access to the device.

🏢 Internal Only: MEDIUM - Malicious apps or users with local access could exploit this to gather system information.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access but no privileges. Exploitation involves triggering the out-of-bounds read condition in boot control logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: November 2024 Android security patch level

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2024-11-01

Restart Required: Yes

Instructions:

1. Apply November 2024 Android security update. 2. For Pixel devices: Settings > System > System update > Check for update. 3. For other Android devices: Check manufacturer's security update schedule. 4. Reboot device after update installation.

🔧 Temporary Workarounds

Restrict local access

all

Limit physical and local application access to devices through security policies

🧯 If You Can't Patch

Implement strict application sandboxing and privilege separation
Monitor for suspicious local access attempts and memory access patterns

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level: Settings > About phone > Android version > Security patch level. If before November 2024, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows November 2024 or later after applying update.

📡 Detection & Monitoring

Log Indicators:

Unusual bootloader/boot control log entries
Memory access violations in system logs

Network Indicators:

Not applicable - local vulnerability

SIEM Query:

source="android_system" AND ("BootControl" OR "bootloader") AND ("out of bounds" OR "memory violation")

📊 Metadata

CVE ID: CVE-2024-47039

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-125

Published: December 18, 2024

Last Updated: July 24, 2025

🔗 References

https://source.android.com/security/bulletin/pixel/2024-11-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47039, you might also want to check these: