CVE-2024-29745

What is Android Pixel Fastboot Mode?

Fastboot is a low-level USB protocol and firmware mode used to flash, unlock, and manage Android devices at the bootloader level — below the normal Android OS. When a Pixel device is in fastboot mode (accessed by holding power + volume down at boot, or via adb reboot bootloader), the device presents a minimal firmware environment that handles partition flashing, device locking/unlocking, and factory reset operations. Forensic access tools (Cellebrite UFED, GrayKey, and similar products) use fastboot mode and USB connectivity to gain low-level access to Android devices — particularly to extract data from locked or encrypted devices by exploiting vulnerabilities in the fastboot firmware or the kernel before full OS boot.

Overview

CVE-2024-29745 is a use of uninitialized resource vulnerability in the Android Pixel fastboot firmware that allows local read of kernel memory contents. It was patched in the April 2024 Pixel Security Bulletin alongside CVE-2024-29748 (factory reset interruption), forming a two-vulnerability exploitation chain used by forensic access tools. Google confirmed limited, targeted exploitation — the context of exploitation is consistent with forensic hardware tools connecting to Pixel devices via USB to extract data from locked devices without the owner's knowledge or consent.

Affected Versions

Earlier Pixel models at end of support life may not receive the patch.

Technical Details

CWE-908 (Use of Uninitialized Resource). The Pixel fastboot firmware contains a memory handling flaw where a buffer or data structure is used or returned before it has been fully initialized. The uninitialized memory region retains whatever data was previously at that memory location, potentially including kernel pointers, encryption keys, security-sensitive configuration data, or other memory contents.

By sending specially crafted fastboot commands to a device in fastboot mode, an attacker can trigger the code path that returns the uninitialized memory region, leaking its contents over the USB connection. This information disclosure is the prerequisite step in the forensic tool exploitation chain: leaked kernel addresses are used to defeat KASLR (Kernel Address Space Layout Randomization), which then enables a subsequent memory corruption exploit (such as CVE-2024-29748 or kernel write primitives) to precisely target kernel data structures. Without the address leak, the write exploits cannot reliably locate their targets.

Discovery

Attributed to exploitation by specialized forensic access tools — likely commercial products used by law enforcement and intelligence agencies (Cellebrite UFED, GrayKey, or similar). Google's description of "limited, targeted exploitation" is standard language for forensic tool attacks against specific individuals' devices rather than opportunistic mass exploitation. The same-day CISA KEV addition (April 4 vs April 5 publication) reflects urgency around the confirmed targeted exploitation.

Exploitation Context

CVE-2024-29745 is the information disclosure component of a two-stage Pixel exploitation chain:

1. Stage 1 (CVE-2024-29745): Connect to device in fastboot mode via USB → trigger uninitialized memory read → leak kernel addresses → defeat KASLR
2. Stage 2 (CVE-2024-29748): Use leaked addresses to precisely target kernel memory corruption → interrupt factory reset → prevent data wipe → preserve access to device data

This chain is characteristic of commercial forensic extraction tools used against high-value targets (activists, journalists, government officials, criminal suspects) by state actors and law enforcement. The "targeted exploitation" context means organizations in security-sensitive roles should treat this as a physical security issue — a device that falls into adversary hands long enough for a USB fastboot connection should be treated as compromised.

Remediation

1. Apply the April 2024 Pixel Security Bulletin update to all Pixel devices — verify via Settings → Security → Security update, patch level 2024-04-01 or later.
2. Enable USB restricted mode: on patched Pixel devices, USB data connections are blocked when the device is locked — this prevents fastboot mode exploitation without the device PIN/pattern.
3. Keep devices physically secure — fastboot exploitation requires physical USB access to the device; device custody controls are as important as software patches.
4. Also apply the patch for CVE-2024-29748 (factory reset bypass) — both vulnerabilities are included in the April 2024 Pixel bulletin and form a combined exploitation chain.
5. For end-of-support Pixel models that will not receive the April 2024 patch, replace devices used in security-sensitive roles where physical adversary access is a realistic threat.