Why CVE-2024-34736 is detected on android 16 (security patch level 2025-12-05)?

[selenite140]

Hi,

When running Vanir on the android 16 codebase (with security patch level 2025-12-05), we can see the "CVE-2024-34736" can still be detected. The "CVE-2024-34736" should already be fixed on android 16.

Could you help check if this is a false positive detection?

report-20260116171715.html

Thank you!

[baekhyunwook]

Hi Ji, thanks for reporting the issue.

Short answer: This is a false positive due to revocation of the previous security patch.
Please ignore the finding for now (e.g., using --cve_id_ignore_list=CVE-2024-34736 flag).

Long answer: I've taken a look into the details of the signature, and it seems this is because the original security patch is reverted by a new patch merged later. As long as the new patch is present in your branch, you can ignore this finding. Our Vanir team will work on generating new signatures based on the new patch so that you don't need to use flag once it is updated.