Most exploits in this list can be used on any Android device, not necessarily the Oculus Quest. The table provides a summary, but make sure to read the description of each exploit for important details.
To check your Android security patch level (yyyy-mm-dd), run adb shell getprop ro.build.version.security_patch, and if your date is earlier then the patch date, then your device is vulnerable. Just because an exploit is listed doesn't mean that it has actually been exploited, only that it's theoretically possible.
We are currently attempting to create an exploit for as many of these as we can
| CVE | Proof-of-concept? | Supported devices | Successful exploitation result | Android patch date | Hardware/soldering required |
|---|---|---|---|---|---|
| CVE-2024-50302/CVE-2024-53197 | No | All Android devices | Temporary root | 2025-03-05 | Raspberry Pi Pico ($4) |
| CVE-2023-4622 | No | All Android devices | Temporary root | 2024-05-05 | None |
| CVE-2024-31317 | Yes | All Android devices | System (UID 1000) | 2024-06-01 | None |
| CVE-2021-1931 | Yes | Snapdragon devices | Bootloader unlock | 2021-07-05 | None |
| CVE-2025-21479 | eureka_panther-adreno-gpu-exploit-1 | Adreno 7xx GPU with a version no greater than xxx? | Arbitary Kernel memory read/write, can disable SELinux and Temporary root | 2025-08-05 | None |
If KASLR could be defeated, it is very likely that CVE-2023-4622 could be exploited, but so far nobody has been able to do that. What is KASLR? It's Kernel Address Space Layout Randomization, basically randomly arraging the memory layout, preventing exploiting memory corruptions. Read more here
These are two USB use-after-free vulnerabilities in the Linux kernel that exploit USB quirks. There are two incomplete proof-of-concepts: https://gitea.itycodes.org/itycodes/CVE-2024-53197, https://github.com/zhuowei/facedancer/tree/rawgadget2/examples, along with a technical writeup from a security lab who obtained a phone after exploitation. They have not been able to defeat KASLR and only can crash the kernel's USB thread.
In order to exploit this, you will need a $4 Raspberry Pi Pico to emulate the specific USB device.
This is a race condition in the Linux kernel allowing for arbitrary code execution without any prerequisites. While there is a proof-of-concept, unfortunately it uses EntryBleed to bypass KASLR, which only works on x86 CPUs. Because 99.9% of Android devices are ARM, this will not work. All other known KASLR bypasses require dmesg access, or something that is not part of the Android fork.
Even if the kernel .text offset could be figured out, Android devices often run a vendor-specific kernel, and fastboot does not allow you to read boot.img. This would mean that you would need to obtain a factory image of the exact version of the firmware in order to get symbol offsets.
Zygote injection is a fully implemented attack that achieves system privileges, but unfortunately SELinux is very restrictive, which highly limits the exploit. It can be used to read and write to apps' private data, in addition to bypass carrier restrictions on OEM unlocking in some scenarios. https://github.com/Anonymous941/zygote-injection-toolkit and https://github.com/oddbyte/CVE-2024-31317 allow automatic exploitation
This is the latest known exploit for Oculus Quest devices, and a Quest bootloader unlocker can be found here. It exploits a buffer overflow in Snapdragon's implementation of fastboot, allowing for the bootloader to be unlocked. The unlocker does not allow for any devices other then the Quest to be exploited, but can be modified to work with them.
This is the latest known exploit for Meta Quest devices (3/3s/eureka/panther), and an implementation of it can be found here. It exploits a memory corruption vulnerability in the Adreno GPU driver, enabling arbitrary kernel memory read/write and privilege escalation.