Android and Linux Kernel Exploitation: CVE-2024-36971 and CVE-2024-21626

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently expanded its Known Exploited Vulnerabilities (KEV) catalog, signaling immediate risks for organizations utilizing Linux-based environments and Android mobile devices. According to BleepingComputer, these additions highlight vulnerabilities that are currently being leveraged by threat actors in the wild. The two entries, CVE-2024-36971 and CVE-2024-21626, present distinct but severe risks ranging from targeted mobile compromise to cloud infrastructure escapes.

Technical Analysis of Android CVE-2024-36971

The CVE identified as CVE-2024-36971 is a high-severity Use-After-Free (UAF) vulnerability residing within the Android kernel’s network routing code. A Zero-Day at the time of its initial discovery by Google’s Threat Analysis Group (TAG), this flaw allows attackers to execute arbitrary code with elevated permissions. In a UAF scenario, the system continues to use a pointer after the memory it points to has been freed, which can be manipulated to redirect execution flow and potentially gain Privilege Escalation.

Security researchers have observed that exploitation of this vulnerability has been “limited” and “targeted,” a hallmark of sophisticated APT activity focusing on high-value individuals rather than broad consumer segments. However, the inclusion in the KEV catalog indicates that the threat remains persistent. When investigating how to detect CVE-2024-36971 exploit activity, defenders should focus on unusual kernel-level crashes or unexpected network routing changes that deviate from standard operating behavior. Organizations should also monitor for secondary payloads that may be delivered following successful initial access.

runc CVE-2024-21626 container breakout mitigation

The second vulnerability, CVE-2024-21626, affects runc, the low-level container runtime used by Docker, Kubernetes, and other containerization platforms. This flaw is part of a series of vulnerabilities colloquially known as “Leaky Vessels.” The issue arises from an internal file descriptor leak where certain file descriptors (specifically those opened with O_PATH) remain open when a new process is executed within the container. An attacker with the ability to run a malicious image or enter a container can use these leaked descriptors to gain access to the host filesystem.

This leads to a total container escape, allowing the attacker to bypass the isolation boundaries of the virtualized environment. For SOC analysts, monitoring for suspicious chdir calls or attempts to access /proc/self/fd/ from within containerized environments is a primary detection strategy. Mitigation for this issue requires upgrading runc to version 1.1.12 or higher to ensure file descriptors are properly closed before process execution.

Impact on Enterprise Infrastructure

The exploitation of these vulnerabilities poses a significant risk to the integrity of enterprise data. While the Android vulnerability threatens the confidentiality of mobile communications and user data, the runc vulnerability targets the core of modern cloud-native architecture. If an attacker achieves a container escape, they can potentially facilitate Lateral Movement across the host network, accessing sensitive secrets, environment variables, or management interfaces that were intended to be isolated.

Remediation Strategies for Security Teams

CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies address these flaws by September 4, 2024. For private sector organizations, the remediation timeline should be equally aggressive given the known active exploitation.

1. Mobile Device Management: Apply the Android kernel August 2024 security update across all managed mobile devices. Prioritize devices held by executives or personnel in sensitive roles who are more likely to be targeted by sophisticated actors.
2. Container Infrastructure: Inventory all Linux hosts running container runtimes. Ensure that runc is updated to version 1.1.12 or later across all production and development nodes.
3. Detection Engineering: Update your SIEM and EDR rules to flag unauthorized access to host file systems from containerized processes and investigate any anomalies in kernel telemetry.

By prioritizing these updates, organizations can significantly reduce their attack surface against both mobile-centric and cloud-infrastructure-based threats.