Cyber Resilience

CVE-2024-29745

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 05 April 2024

Published
05 April 2024
Modified
24 October 2025
KEV Added
04 April 2024
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0021 42.6th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29745 is a medium-severity Use of Uninitialized Resource (CWE-908) vulnerability in Google Android. Its CVSS base score is 5.5 (Medium).

Operationally, ranked at the 42.6th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-29745 is an information disclosure vulnerability stemming from the use of uninitialized data, tracked under CWE-908. It affects Pixel devices running Android and was disclosed in the April 2024 Android security bulletin, carrying a CVSS 3.1 score of 5.5 that reflects local attack vector, low complexity, and high impact on confidentiality with no privileges or user interaction required.

A local attacker who already has a presence on the device can exploit the flaw to read sensitive information from uninitialized memory regions. No additional execution privileges or user interaction are needed, allowing the issue to be triggered directly by any process or app running with standard local access.

The official Pixel security bulletin published on 2024-04-01 addresses the issue through platform updates that initialize memory before use. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog, confirming that mitigation via the referenced patches is required for affected devices.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0118, indicating emerging exploitation interest after public disclosure.

EU & UK References

Vulnerability details

there is a possible Information Disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)
KEV Date Added
04 April 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires memory protection mechanisms that would prevent disclosure of sensitive data from uninitialized memory regions (CWE-908).

prevent

Requires protection against information leakage through reuse of shared system resources such as uninitialized memory buffers.

prevent

Enforces process isolation boundaries that limit a local attacker’s ability to read another process’s uninitialized memory.

References