CVE-2024-36971

What is the Android / Linux Kernel Network Subsystem?

The Linux kernel's network subsystem manages routing tables, socket handling, and protocol state for all network communications. The IPv6 routing table implementation uses a data structure called fib6_info to represent route entries — each entry tracks next-hop information, reference counts, and lifecycle state for IPv6 routes. The Android kernel is a fork of the Linux kernel with additional Android-specific drivers and patches; vulnerabilities in the upstream Linux kernel's networking code can affect Android devices, particularly those with custom network configurations or when a low-privilege app can manipulate network routing state.

Overview

CVE-2024-36971 is a use-after-free vulnerability in the Linux kernel's IPv6 network routing implementation (fib6_info) that allows a local attacker with low privileges to achieve remote code execution. The upstream Linux kernel fix was published on June 10, 2024; Google's Threat Analysis Group (TAG) confirmed active exploitation targeting Android devices in limited, targeted attacks. The vulnerability was included in the August 2024 Android Security Bulletin and added to CISA's KEV catalog on August 7, 2024.

Affected Versions

Android OEMs patch on different schedules; check device-specific security patch level.

Technical Details

CWE-416 (Use-After-Free). The fib6_info structure representing IPv6 routing table entries has a flaw in its reference counting and lifecycle management. When a route entry is freed (due to a route deletion or expiration event), a stale reference to the freed fib6_info object can remain in use elsewhere in the network stack. When the stale pointer is subsequently dereferenced — which a local attacker can trigger by manipulating the routing table or network socket state — the freed memory may have been reallocated and overwritten with attacker-controlled content, leading to a controlled kernel write.

The resulting kernel write primitive is usable to overwrite kernel data structures (security tokens, function pointers, or kernel struct fields) to escalate privileges or execute arbitrary code in kernel context. On Android, this level of access bypasses the app sandbox entirely.

The CVSS Local attack vector (AV:L) reflects that triggering the race requires local access to the network stack — achievable from an unprivileged app on Android that has been granted network permissions, which is a common and often automatically granted permission.

Discovery

The Linux kernel patch was authored by kernel security maintainers and announced via the linux-cve-announce mailing list. Google TAG identified active exploitation of this vulnerability on Android devices in targeted attacks, which led to the August 2024 Android Security Bulletin inclusion and CISA KEV addition.

Exploitation Context

Kernel networking use-after-free bugs on Android are high-value for mobile spyware and surveillance tool vendors because they bypass the Android application sandbox. An attacker who chains a malicious Android app with a kernel UAF exploit can achieve full device compromise — reading messages, call records, location data, and credentials — outside the normal permission model. The "limited, targeted exploitation" language indicates sophisticated actors targeting specific individuals rather than broad criminal campaigns. This fits the profile of commercial spyware vendors (Pegasus, Predator, etc.) or nation-state mobile surveillance tools.

Remediation

1. Apply the August 2024 Android security update on all managed Android devices — check Settings → Security → Security update to confirm the patch level is 2024-08-01 or later.
2. For Google Pixel devices, ensure Pixel-specific updates are also applied via the monthly Pixel Security Bulletin.
3. Android OEM devices (Samsung, OnePlus, etc.) may receive the patch on a delayed schedule — contact the OEM or check their security bulletin pages.
4. For high-risk individuals, consider mobile threat defense (MTD) tools that monitor for kernel exploitation indicators.
5. Keep Android devices on a supported Android version — devices running end-of-life Android versions may not receive this patch at all and should be replaced.