Search
On this page ▾
CVE-2024-29748 — Android Pixel Privilege Escalation Vulnerability

CVE-2024-29748

Android Pixel — Improper Error Handling Allows Interruption of MDM-Triggered Factory Reset; Forensic Tool Exploitation Context
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What are Android Pixel Devices?

Google Pixel phones run Android with Google's direct software maintenance, receiving monthly security updates from Google. Pixel devices include enterprise mobile device management (MDM) support, allowing IT administrators or device admin apps to remotely wipe or factory reset a device to protect corporate data if the device is lost, stolen, or compromised. This factory reset protection is a critical security feature for organizations managing fleets of devices containing sensitive data.

Overview

CVE-2024-29748 is a privilege escalation vulnerability in Android Pixel devices that allows an attacker to interrupt a factory reset that has been triggered by a device admin app or MDM solution. By preventing the factory reset from completing, an attacker who has physical access to a device — or who can install a malicious app — can preserve sensitive data that was intended to be wiped. Google confirmed "limited, targeted exploitation" at the time of disclosure, consistent with use by mobile forensics tools or law enforcement-adjacent technology vendors. The KEV addition on April 4, 2024 — the day before the CVE publication date — reflects the urgency of confirmed exploitation.

Affected Versions

Device Status
Pixel devices (Pixel 6 and later) Patched April 2024 Pixel Security Bulletin

Technical Details

CWE-755 (Improper Handling of Exceptional Conditions). The vulnerability lies in how the Pixel firmware handles error conditions or interruptions during the factory reset process initiated by a privileged device admin application. When a factory reset is triggered via the DevicePolicyManager API, the reset process can be interfered with through a carefully timed action (such as triggering a crash, rebooting the device in a specific state, or exploiting an error path) that causes the reset to abort before completing.

The result is that the device retains its data, user accounts, and applications — defeating the security guarantee that a remotely-triggered wipe actually removes sensitive information from the device. This is particularly exploitable in scenarios where: law enforcement or adversaries have physical access to a device that the owner is attempting to remotely wipe; or a malicious app installed on the device prevents factory resets initiated by corporate MDM to persist on the device after an attempted wipe.

CVE-2024-29748 is closely related to CVE-2024-29745, which leaks fastboot memory in a way that assists in bypassing Android's security model — the two vulnerabilities were used together in forensic exploitation chains targeting specific individuals.

Discovery

The "limited, targeted exploitation" designation indicates Google TAG or a security partner observed this being exploited against specific individuals. The vulnerability's nature — interrupting MDM-triggered factory resets — is consistent with commercial mobile forensics tools that have developed techniques to extract data from devices that an owner has attempted to remotely wipe. The same April 2024 bulletin addressed the companion CVE-2024-29745.

Exploitation Context

The ability to interrupt a factory reset is most valuable to: (1) law enforcement and intelligence agencies conducting device forensics, (2) adversaries with physical access to a target's device who want to prevent the owner from wiping it remotely, and (3) malicious apps installed by stalkerware or spyware operators that want to survive MDM wipe commands. The "limited, targeted exploitation" language explicitly rules out broad criminal campaigns and points to sophisticated, individualized targeting.

Remediation

  1. Apply the April 2024 Pixel security update immediately — verify via Settings → Security → Security update.
  2. Enable automatic system updates on all managed Pixel devices to minimize the window of vulnerability.
  3. For organizations relying on MDM remote wipe as a data protection control: verify that wipes complete successfully after patching, and treat unpatched devices as unable to guarantee remote wipe effectiveness.
  4. Consider physical security controls for devices containing highly sensitive data — remote wipe should be a secondary control, not the sole protection against device compromise.

Key Details

PropertyValue
CVE ID CVE-2024-29748
Vendor / Product Android — Pixel
NVD Published2024-04-05
NVD Last Modified2025-10-24
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-755 find similar ↗
CISA KEV Added2024-04-04
CISA KEV Deadline2024-04-25
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-04-25. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-04-04Google releases April 2024 Pixel Security Bulletin; CISA adds CVE-2024-29748 to KEV the same day — confirming limited targeted exploitation
2024-04-25CISA BOD 22-01 remediation deadline

References

ResourceType
Android Pixel Security Bulletin — April 2024 Vendor Advisory
NVD — CVE-2024-29748 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML