ASB-A-369103643
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/ASB-A-369103643.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-369103643
- Aliases
-
- A-369103643
- CVE-2024-49737
- Published
- 2025-01-01T00:00:00Z
- Modified
- 2025-11-07T15:56:02.122943Z
- Summary
- [none]
- Details
-
In applyTaskFragmentOperation of WindowOrganizerController.java, there is a possible way to launch arbitrary activities as the system UID due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
Affected packages
Android / platform/frameworks/base
Package
Ecosystem specific
{
"types": [
"EoP"
],
"spl": "2025-01-01",
"vanir_signatures": [
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"247830753239969257885873247624590463164",
"221466244410249515856626539819557021675",
"269788443082532464705129411073175667603",
"93429399078353028099383205705581146863",
"303485001708872188488953942908528730903",
"237973310562149926607121392462167340335",
"181167633947030499191796485318783126492",
"148109783725599155833924821162785267763",
"111960032208563870104386455562406693993"
]
},
"target": {
"file": "services/core/java/com/android/server/wm/ActivityStartController.java"
},
"source": "https://android.googlesource.com/platform/frameworks/base/+/20c568e77eae5d469cd5e594b644d8645d830dbd",
"id": "ASB-A-369103643-62490ddd",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"182731028694053703641809109840598050601",
"232637503072892794895967908429165344939",
"13089435161022061320893909569743237690",
"168334595336395150687999161467293447816",
"161631339194587669886168761581488055762",
"253090262294093846784841518108590628549"
]
},
"target": {
"file": "services/core/java/com/android/server/wm/WindowOrganizerController.java"
},
"source": "https://android.googlesource.com/platform/frameworks/base/+/20c568e77eae5d469cd5e594b644d8645d830dbd",
"id": "ASB-A-369103643-907c7f88",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "96498141685469445536557282481916479375",
"length": 7432.0
},
"target": {
"file": "services/core/java/com/android/server/wm/WindowOrganizerController.java",
"function": "applyTaskFragmentOperation"
},
"source": "https://android.googlesource.com/platform/frameworks/base/+/20c568e77eae5d469cd5e594b644d8645d830dbd",
"id": "ASB-A-369103643-938714f8",
"deprecated": false,
"signature_version": "v1"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/20c568e77eae5d469cd5e594b644d8645d830dbd"
],
"severity": "High"
}
Android / platform/frameworks/base
Package
Android / platform/frameworks/base
Package
Ecosystem specific
{
"types": [
"EoP"
],
"spl": "2025-01-01",
"vanir_signatures": [
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"247830753239969257885873247624590463164",
"221466244410249515856626539819557021675",
"63807911397127398893873232592809304717",
"324626324815413323839987247617310599301",
"303485001708872188488953942908528730903",
"237973310562149926607121392462167340335",
"181167633947030499191796485318783126492",
"148109783725599155833924821162785267763",
"111960032208563870104386455562406693993"
]
},
"target": {
"file": "services/core/java/com/android/server/wm/ActivityStartController.java"
},
"source": "https://android.googlesource.com/platform/frameworks/base/+/ef9ea0faa26e0ce0ee5e8dc70a663f98e04b0ca0",
"id": "ASB-A-369103643-01d9292a",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"288034330759454545749828417286440772737",
"70732883184502326222261677927881772729",
"125145677863081048291088641446390616547",
"307720510604394016663738182914756931362",
"159307390470164582163890545615796627319",
"219780262929468288463261191986071483534"
]
},
"target": {
"file": "services/core/java/com/android/server/wm/WindowOrganizerController.java"
},
"source": "https://android.googlesource.com/platform/frameworks/base/+/ef9ea0faa26e0ce0ee5e8dc70a663f98e04b0ca0",
"id": "ASB-A-369103643-12f1f598",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "6273640658742789058457512313068402242",
"length": 10099.0
},
"target": {
"file": "services/core/java/com/android/server/wm/WindowOrganizerController.java",
"function": "applyHierarchyOp"
},
"source": "https://android.googlesource.com/platform/frameworks/base/+/ef9ea0faa26e0ce0ee5e8dc70a663f98e04b0ca0",
"id": "ASB-A-369103643-f89cdc72",
"deprecated": false,
"signature_version": "v1"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/ef9ea0faa26e0ce0ee5e8dc70a663f98e04b0ca0"
],
"severity": "High"
}
Android / platform/frameworks/base
Package
Ecosystem specific
{
"types": [
"EoP"
],
"spl": "2025-01-01",
"vanir_signatures": [
{
"signature_type": "Function",
"digest": {
"function_hash": "204437010377938415305313386421056551892",
"length": 4858.0
},
"target": {
"file": "services/core/java/com/android/server/wm/WindowOrganizerController.java",
"function": "applyTaskFragmentOperation"
},
"source": "https://android.googlesource.com/platform/frameworks/base/+/198f7b559f9a13d5b9d26b41c6b95bc1e45fcb1e",
"id": "ASB-A-369103643-1b501a7f",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"182731028694053703641809109840598050601",
"121976430543692563394842650948165224068",
"64384254864213543719623192695623721071",
"46685231285905702262550237476649330875",
"325520871240326503071717366354732856279",
"251301581520187244933596937037593687964"
]
},
"target": {
"file": "services/core/java/com/android/server/wm/WindowOrganizerController.java"
},
"source": "https://android.googlesource.com/platform/frameworks/base/+/198f7b559f9a13d5b9d26b41c6b95bc1e45fcb1e",
"id": "ASB-A-369103643-34e3116c",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"247830753239969257885873247624590463164",
"221466244410249515856626539819557021675",
"269788443082532464705129411073175667603",
"93429399078353028099383205705581146863",
"303485001708872188488953942908528730903",
"237973310562149926607121392462167340335",
"181167633947030499191796485318783126492",
"148109783725599155833924821162785267763",
"111960032208563870104386455562406693993"
]
},
"target": {
"file": "services/core/java/com/android/server/wm/ActivityStartController.java"
},
"source": "https://android.googlesource.com/platform/frameworks/base/+/198f7b559f9a13d5b9d26b41c6b95bc1e45fcb1e",
"id": "ASB-A-369103643-6b875c9b",
"deprecated": false,
"signature_version": "v1"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/198f7b559f9a13d5b9d26b41c6b95bc1e45fcb1e"
],
"severity": "High"
}