CVE-2024-34748

High

Published: 28 January 2025

Published

28 January 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

In _DevmemXReservationPageAddress of devicemem_server.c, there is a possible use-after-free due to improper casting. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2024-34748 is a use-after-free vulnerability stemming from improper casting in the _DevmemXReservationPageAddress function within devicemem_server.c. This flaw affects the Android kernel, potentially enabling arbitrary code execution at the kernel level.

A local attacker can exploit this vulnerability with no additional execution privileges required and without needing user interaction. Successful exploitation leads to local escalation of privilege in the kernel, granting high-impact confidentiality, integrity, and availability effects as reflected in its CVSS v3.1 score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue is classified under CWE-416 (Use After Free).

The Android Security Bulletin dated October 1, 2024, addresses this vulnerability with patches available at https://source.android.com/security/bulletin/2024-10-01.

Details

CWE(s): CWE-416

Affected Products

google

android

all versions

References

https://source.android.com/security/bulletin/2024-10-01
Vendor Advisory · security@android.com