CVE-2024-29748
Published: 05 April 2024
Summary
CVE-2024-29748 is a high-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 39.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-29748 is a logic error that permits a bypass in affected code, impacting Android devices as documented in the April 2024 Pixel security bulletin. The flaw is tracked under CWE-755 and CWE-280 and carries a CVSS 3.1 score of 7.8, reflecting local attack vector, low complexity, no privileges required, and required user interaction.
An attacker with local access can leverage the vulnerability to escalate privileges without additional execution rights, resulting in full compromise of confidentiality, integrity, and availability on the device once user interaction occurs.
The official Android Pixel bulletin dated 2024-04-01 and corresponding CISA entry describe the availability of patches that address the issue in the April 2024 release; applying those updates is the indicated mitigation.
The vulnerability appears in CISA’s known exploited vulnerabilities catalog, confirming observed in-the-wild activity. Its EPSS score rose from a low baseline to a recorded peak of 0.0118, indicating increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26743
Vulnerability details
there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
- CWE(s)
- KEV Date Added
- 04 April 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the security checks whose logic error was bypassed to achieve privilege escalation.
Requires timely application of the vendor patch that corrects the logic flaw enabling the bypass.
Limits the privileges an unprivileged local process can obtain even if the security-check bypass succeeds.