ASB-A-336648613

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-336648613.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-336648613
Aliases
  • A-336648613
  • CVE-2024-34743
Published
2024-08-01T00:00:00Z
Modified
2025-11-14T16:44:49.782125Z
Summary
[none]
Details

In setTransactionState of SurfaceFlinger.cpp, there is a possible way to perform tapjacking due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/native

Package

Name
platform/frameworks/native

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14-next:0
Fixed
14-next:2024-08-01

Affected versions

Other

14-next

Ecosystem specific 

{
    "spl": "2024-08-01",
    "severity": "High",
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/native/+/04e41761914c3c3aaca965103be3679b7a7af76f",
        "https://android.googlesource.com/platform/frameworks/native/+/2fc9515b2ae8a4bb4729092c113eff117841a958"
    ],
    "types": [
        "EoP"
    ],
    "vanir_signatures": [
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/04e41761914c3c3aaca965103be3679b7a7af76f",
            "id": "ASB-A-336648613-14b4ad06",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "98259378003215290729200237477895687439",
                    "124351871409583557248646893027347472071",
                    "83269910493861560338894238969646644480",
                    "199318277824035700342671260286424773147"
                ]
            },
            "target": {
                "file": "services/surfaceflinger/SurfaceFlinger.cpp"
            },
            "signature_type": "Line",
            "signature_version": "v1"
        },
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/2fc9515b2ae8a4bb4729092c113eff117841a958",
            "id": "ASB-A-336648613-165e16f9",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "119849422066859117998190507447921247582",
                    "233788605379638285463660867186484692767",
                    "258348330144295160924809948120583375696",
                    "140468011115421245451995813614498008597",
                    "92733186063308125086410512280235079644",
                    "202345375235487927167814672541795343501",
                    "320856776686287278756643701749370531887",
                    "6077737703250704013138677459097867481",
                    "147423824564164202981002604416402353662",
                    "24802709526932377582786707034229334080",
                    "303639753293515368215693811817733397226",
                    "70010450437343897477377129399488908447",
                    "309185948175512427659912767458363091160",
                    "251125231041549029302901415882271665226",
                    "262174218451291711126137892668652235802",
                    "160029374754896997520764646987278392060"
                ]
            },
            "target": {
                "file": "services/surfaceflinger/tests/Credentials_test.cpp"
            },
            "signature_type": "Line",
            "signature_version": "v1"
        },
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/04e41761914c3c3aaca965103be3679b7a7af76f",
            "id": "ASB-A-336648613-347a5dc2",
            "digest": {
                "function_hash": "298505913791856611425474582226856428156",
                "length": 3818.0
            },
            "target": {
                "function": "SurfaceFlinger::setTransactionState",
                "file": "services/surfaceflinger/SurfaceFlinger.cpp"
            },
            "signature_type": "Function",
            "signature_version": "v1"
        },
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/04e41761914c3c3aaca965103be3679b7a7af76f",
            "id": "ASB-A-336648613-a5630507",
            "digest": {
                "function_hash": "167139669641146282885240371798531393151",
                "length": 1451.0
            },
            "target": {
                "function": "TEST_F",
                "file": "services/surfaceflinger/tests/Credentials_test.cpp"
            },
            "signature_type": "Function",
            "signature_version": "v1"
        },
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/04e41761914c3c3aaca965103be3679b7a7af76f",
            "id": "ASB-A-336648613-b8041d00",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "119849422066859117998190507447921247582",
                    "233788605379638285463660867186484692767",
                    "258348330144295160924809948120583375696",
                    "140468011115421245451995813614498008597",
                    "92733186063308125086410512280235079644",
                    "202345375235487927167814672541795343501",
                    "320856776686287278756643701749370531887",
                    "6077737703250704013138677459097867481",
                    "147423824564164202981002604416402353662",
                    "24802709526932377582786707034229334080",
                    "303639753293515368215693811817733397226",
                    "70010450437343897477377129399488908447",
                    "309185948175512427659912767458363091160",
                    "251125231041549029302901415882271665226",
                    "262174218451291711126137892668652235802",
                    "160029374754896997520764646987278392060"
                ]
            },
            "target": {
                "file": "services/surfaceflinger/tests/Credentials_test.cpp"
            },
            "signature_type": "Line",
            "signature_version": "v1"
        },
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/2fc9515b2ae8a4bb4729092c113eff117841a958",
            "id": "ASB-A-336648613-c25669e5",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "98259378003215290729200237477895687439",
                    "124351871409583557248646893027347472071",
                    "83269910493861560338894238969646644480",
                    "199318277824035700342671260286424773147"
                ]
            },
            "target": {
                "file": "services/surfaceflinger/SurfaceFlinger.cpp"
            },
            "signature_type": "Line",
            "signature_version": "v1"
        },
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/2fc9515b2ae8a4bb4729092c113eff117841a958",
            "id": "ASB-A-336648613-d7e1fae3",
            "digest": {
                "function_hash": "330833214335412875635693904938078851747",
                "length": 3425.0
            },
            "target": {
                "function": "SurfaceFlinger::setTransactionState",
                "file": "services/surfaceflinger/SurfaceFlinger.cpp"
            },
            "signature_type": "Function",
            "signature_version": "v1"
        },
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/2fc9515b2ae8a4bb4729092c113eff117841a958",
            "id": "ASB-A-336648613-febb3c7f",
            "digest": {
                "function_hash": "167139669641146282885240371798531393151",
                "length": 1451.0
            },
            "target": {
                "function": "TEST_F",
                "file": "services/surfaceflinger/tests/Credentials_test.cpp"
            },
            "signature_type": "Function",
            "signature_version": "v1"
        }
    ]
}

Android / platform/frameworks/native

Package

Name
platform/frameworks/native

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14:0
Fixed
14:2024-08-01

Affected versions

Other

14

Ecosystem specific 

{
    "spl": "2024-08-01",
    "severity": "High",
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/native/+/f1ad68a1a9fbdeb62999ccaee21643783101157c"
    ],
    "types": [
        "EoP"
    ],
    "vanir_signatures": [
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/f1ad68a1a9fbdeb62999ccaee21643783101157c",
            "id": "ASB-A-336648613-199fc973",
            "digest": {
                "function_hash": "167139669641146282885240371798531393151",
                "length": 1451.0
            },
            "target": {
                "function": "TEST_F",
                "file": "services/surfaceflinger/tests/Credentials_test.cpp"
            },
            "signature_type": "Function",
            "signature_version": "v1"
        },
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/f1ad68a1a9fbdeb62999ccaee21643783101157c",
            "id": "ASB-A-336648613-a4c9fcb9",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "98259378003215290729200237477895687439",
                    "124351871409583557248646893027347472071",
                    "83269910493861560338894238969646644480",
                    "199318277824035700342671260286424773147"
                ]
            },
            "target": {
                "file": "services/surfaceflinger/SurfaceFlinger.cpp"
            },
            "signature_type": "Line",
            "signature_version": "v1"
        },
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/f1ad68a1a9fbdeb62999ccaee21643783101157c",
            "id": "ASB-A-336648613-b602c7ed",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "119849422066859117998190507447921247582",
                    "233788605379638285463660867186484692767",
                    "258348330144295160924809948120583375696",
                    "140468011115421245451995813614498008597",
                    "92733186063308125086410512280235079644",
                    "202345375235487927167814672541795343501",
                    "320856776686287278756643701749370531887",
                    "6077737703250704013138677459097867481",
                    "147423824564164202981002604416402353662",
                    "24802709526932377582786707034229334080",
                    "303639753293515368215693811817733397226",
                    "70010450437343897477377129399488908447",
                    "309185948175512427659912767458363091160",
                    "251125231041549029302901415882271665226",
                    "262174218451291711126137892668652235802",
                    "160029374754896997520764646987278392060"
                ]
            },
            "target": {
                "file": "services/surfaceflinger/tests/Credentials_test.cpp"
            },
            "signature_type": "Line",
            "signature_version": "v1"
        },
        {
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/frameworks/native/+/f1ad68a1a9fbdeb62999ccaee21643783101157c",
            "id": "ASB-A-336648613-b7b1246b",
            "digest": {
                "function_hash": "330833214335412875635693904938078851747",
                "length": 3425.0
            },
            "target": {
                "function": "SurfaceFlinger::setTransactionState",
                "file": "services/surfaceflinger/SurfaceFlinger.cpp"
            },
            "signature_type": "Function",
            "signature_version": "v1"
        }
    ]
}