Overview 

Google has recently disclosed a new zero-day vulnerability affecting all devices running its Android operating system. The vulnerability, CVE-2024-36971, is a use after free (UAF) vulnerability that exists in the Linux kernel’s network route management capabilities. UAF vulnerabilities occur when a program continues to use a particular memory location even after it has been freed, which the attacker then exploits to infiltrate that particular program. 

There have also been indications from Google that there is a known exploit for this vulnerability in the wild. While it hasn’t been disclosed who is behind the exploit, the National Vulnerability Database (NVD) has rated this vulnerability with a high risk score of 7.8/10. It appears that user interaction is unnecessary for a successful exploit, which would grant the attacker the ability to execute remote arbitrary code without user knowledge. 

Lookout Analysis

While Google has released a patch for Pixel devices at the time of this post being written, there is an inevitable window of time between when the patch is released and when users actually install it. Another time gap occurs as other device manufacturers who run Android test the Google patch for their devices. These both present attackers with greater opportunity and chance of success. 

It may be possible to exploit this vulnerability without any user interaction on the device by sending maliciously crafted packets to the device. Given that this vulnerability is found in the core network stack of the kernel, it has the potential to affect all manufacturers of Android devices.