Cyber Resilience

CVE-2024-29748

HighCISA KEVActive ExploitationEUVD Exploited

Published: 05 April 2024

Published
05 April 2024
Modified
24 October 2025
KEV Added
04 April 2024
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0039 60.5th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29748 is a high-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 39.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-29748 is a logic error that permits a bypass in affected code, impacting Android devices as documented in the April 2024 Pixel security bulletin. The flaw is tracked under CWE-755 and CWE-280 and carries a CVSS 3.1 score of 7.8, reflecting local attack vector, low complexity, no privileges required, and required user interaction.

An attacker with local access can leverage the vulnerability to escalate privileges without additional execution rights, resulting in full compromise of confidentiality, integrity, and availability on the device once user interaction occurs.

The official Android Pixel bulletin dated 2024-04-01 and corresponding CISA entry describe the availability of patches that address the issue in the April 2024 release; applying those updates is the indicated mitigation.

The vulnerability appears in CISA’s known exploited vulnerabilities catalog, confirming observed in-the-wild activity. Its EPSS score rose from a low baseline to a recorded peak of 0.0118, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CWE(s)
KEV Date Added
04 April 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
≤ 2024-04-05

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the security checks whose logic error was bypassed to achieve privilege escalation.

prevent

Requires timely application of the vendor patch that corrects the logic flaw enabling the bypass.

prevent

Limits the privileges an unprivileged local process can obtain even if the security-check bypass succeeds.

References