CVE-2024-29745
published 2024-04-05CVE-2024-29745: there is a possible Information Disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges…
PriorityP279medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-04-25
Exploited in the wild
EPSS
0.48%
38.0th percentile
there is a possible Information Disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-29745 is exploited via the fastboot firmware interface on Android Pixel devices; monitor for unauthorized fastboot mode access or USB debugging activity on confiscated/targeted devices ↗
- →CVE-2024-29745 is paired with CVE-2024-29748 in active in-the-wild exploitation campaigns; detections should consider both CVEs together as a combined exploitation chain ↗
- ·The vulnerability is in the fastboot firmware specifically, not the main Android OS runtime; patches are device-specific to Android Pixel and were released in the April 2024 Pixel security bulletin ↗
- ·Exploitation requires no additional execution privileges and no user interaction, making it particularly dangerous for physically accessed (e.g., confiscated) devices ↗
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vulncheck5.5MEDIUM
cisa5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h574-gj9q-j8mx: there is a possible Information Disclosure due to uninitialized data
ghsa_unreviewed·2024-04-05
CVE-2024-29745 [MEDIUM] CWE-908 GHSA-h574-gj9q-j8mx: there is a possible Information Disclosure due to uninitialized data
there is a possible Information Disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
OSV
CVE-2024-29745: there is a possible Information Disclosure due to uninitialized data
osv·2024-04-01
CVE-2024-29745 CVE-2024-29745: there is a possible Information Disclosure due to uninitialized data
there is a possible Information Disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
VulnCheck
Android Pixel Information Disclosure Vulnerability
vulncheck·2024·CVSS 5.5
CVE-2024-29745 [MEDIUM] CWE-908 Android Pixel Information Disclosure Vulnerability
Android Pixel Information Disclosure Vulnerability
Android Pixel contains an information disclosure vulnerability in the fastboot firmware used to support unlocking, flashing, and locking affected devices.
Affected: Android Pixel
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://source.android.com/docs/security/bulletin/pixel/2024-04-01; https://x.com/GrapheneOS/status/1775305179581018286; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://ti.qianxin.com/uploads/2024/08/19/2274f632f6a1d8acd2f1801c24887edb.pdf; https://360.net/research/report/#:~:text
CISA
Android Pixel Information Disclosure Vulnerability
cisa·2024-04-04·CVSS 5.5
CVE-2024-29745 [MEDIUM] CWE-908 Android Pixel Information Disclosure Vulnerability
Vulnerability: Android Pixel Information Disclosure Vulnerability
Affected: Android Pixel
Android Pixel contains an information disclosure vulnerability in the fastboot firmware used to support unlocking, flashing, and locking affected devices.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://source.android.com/docs/security/bulletin/pixel/2024-04-01 ; https://nvd.nist.gov/vuln/detail/CVE-2024-29745
Remediation Due Date: 2024-04-25
No detection rules found.
No public exploits indexed.
2024-04-05
Published
2024-04-04
Added to CISA KEV
Exploited in the wild