Security researchers at Google Project Zero have disclosed a significant vulnerability that bypasses one of the Android kernel’s core security defenses: Kernel Address Space Layout Randomization (KASLR). The technique, detailed in a report titled “Defeating KASLR by Doing Nothing at All,” demonstrates how a passive, low-privilege attack can successfully de-randomize the kernel’s memory location, a critical step in many exploitation chains.

KASLR is a defensive mechanism designed to make it more difficult for attackers to execute arbitrary code by randomizing the memory address where the kernel is loaded. By successfully bypassing KASLR, an attacker can pinpoint the exact location of kernel code and data, thereby nullifying this protection and simplifying subsequent exploitation efforts.

The Side-Channel Vulnerability Explained

The method discovered by Project Zero is a side-channel attack that requires no special permissions and does not need to crash the system to succeed. The vulnerability was found in the way certain Android devices handled memory management for specific drivers. Researchers identified that an unprivileged application could repeatedly probe a specific device driver interface. The time it took for the system call to return an error varied depending on whether a particular kernel memory address was cached.

By meticulously measuring these minute timing variations, the attacker’s application was able to leak information about the kernel’s memory layout bit by bit. The “doing nothing at all” aspect refers to the passive nature of the attack; the malicious application simply makes repeated, failing system calls and observes the timing. This process effectively reconstructs the randomized kernel offset, completely defeating the KASLR protection without causing any system instability.

Impact and Coordinated Mitigation

A successful KASLR bypass on its own does not grant an attacker control over a device. However, it is an essential primitive for more complex attacks. Without KASLR, other kernel vulnerabilities become significantly easier to exploit, as the attacker knows the precise memory addresses needed for their payload. The Project Zero report confirmed that this vulnerability affected a range of Android devices using specific System-on-Chip (SoC) hardware and associated kernel driver implementations.

Following the principles of coordinated disclosure, Google Project Zero reported the findings to the Android security team. In response, a patch was developed to mitigate the information leak. The fix involved modifying the relevant kernel driver to ensure its response time was constant, regardless of the internal memory state, thereby closing the side-channel. The patch was subsequently rolled out to affected devices via an Android Security Bulletin.

Source: https://googleprojectzero.blogspot.com/2025/11/defeating-kaslr-by-doing-nothing-at-all.html