5 Real Android Native Memory Bugs: Heap Overflows, UAF, and Fixes

This article examines five historical Android native vulnerabilities disclosed in security bulletins, analyzing C/C++ memory bug scenarios, especially those caused by C++ object‑oriented features.

1. Heap overflow caused by missing length checks

Vulnerability ID: CVE-2023-21118

Source: May 2023 security bulletin

Type: Information Disclosure (ID)

Affected versions: 11, 12, 12L, 13

Severity: High

Module: libsensor

The flaw resides in three key functions of libutils.so: FlattenableUtils::advance(), FlattenableUtils::read() and FlattenableUtils::align(). The advance() function moves the buffer pointer without verifying that the remaining length is sufficient for a 4‑byte alignment, allowing the pointer to step outside the buffer and cause a heap overflow.

Google’s fix adds a length check before the 4‑byte alignment to ensure the remaining buffer is large enough.

2. Heap overflow caused by unsigned integer wrap‑around

Vulnerability ID: CVE-2024-0018

Source: January 2024 security bulletin

Type: Privilege Escalation (EoP)

Affected versions: 11, 12, 12L, 13, 14

Severity: High

Module: libstagefright

The bug appears in the ColorConverter class when converting YUV420 to Y410. The code checks src.cropWidth() - 3 to decide if the buffer is large enough, but src.cropWidth() is an unsigned size_t. If the width is less than 3, the subtraction underflows to a huge value, bypassing the check and causing out‑of‑bounds reads/writes.

The fix rewrites the condition to use addition ( src.cropWidth() + 3) for the comparison, eliminating the unsigned underflow.

3. Use‑after‑free caused by a dangling pointer after main‑thread destruction

Vulnerability ID: CVE-2023-40131

Source: November 2023 security bulletin

Type: Privilege Escalation (EoP)

Affected versions: 12, 12L, 13

Severity: High

Module: gpuservice

In GpuService, the constructor passes this to initialization functions that spawn detached threads. The main thread may be destroyed immediately after construction, leaving the detached threads with a dangling this pointer, leading to use‑after‑free.

The remediation is to create the worker thread with a smart pointer and join or wait for all threads in the destructor.

4. Race condition and use‑after‑free in an unlocked Vector

Vulnerability ID: CVE-2021-0437

Source: April 2021 security bulletin

Type: Privilege Escalation (EoP)

Affected versions: 8.1, 9, 10, 11

Severity: High

Module: drm

The bug occurs in DrmPlugin::setPlayPolicy(), where a KeyedVector (Android’s vector‑like container) is modified without locking. If one thread triggers a reallocation while another holds a pointer to the old storage, the latter accesses a dangling pointer, causing use‑after‑free.

The fix is to protect all accesses with a mutex (or other synchronization) to prevent concurrent reallocation.

5. Use‑after‑free caused by a dangling pointer from out‑of‑scope temporary

Vulnerability ID: CVE-2020-0008

Source: January 2020 security bulletin

Type: Information Disclosure (ID)

Affected versions: 8.0, 8.1, 9, 10

Severity: High

Module: bt

The function BtAddrString() returns a temporary std::string that lives only for the expression. Assigning its internal C‑string pointer to a variable without storing the std::string causes the pointer to become dangling immediately after the line, leading to use‑after‑free.

The remediation is to store the returned string in a local std::string variable, extending its lifetime to match the surrounding scope.

Summary

The five analyzed Android native bugs demonstrate that missing length checks before pointer arithmetic, unsigned integer underflow, improper thread lifecycle handling, unlocked container modifications, and misuse of temporary objects are common root causes of heap overflows and use‑after‑free vulnerabilities. Developers should validate buffer lengths, avoid unsigned subtraction that can wrap, synchronize multithreaded access, and carefully manage object lifetimes to mitigate such risks.