Back to KEVs

CVE-2023-35674

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local...

Basic Information

CVE State: PUBLISHED
Reserved Date: June 15, 2023
Published Date: September 11, 2023
Last Updated: February 04, 2025
Vendor: Google
Product: Android
Description: In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Scores

CVSS v3.1

7.8 - HIGH

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2023-09-13 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2023-09-11 05:34:43 UTC) Source

References

https://android.googlesource.com/platform/frameworks/base/+/7428962d3b064ce1122809d87af65099d1129c9e https://source.android.com/security/bulletin/2023-09-01

Known Exploited Vulnerability Information

Source	Added Date
CISA	2023-09-13 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Thampakon/CVE-2023-35674

Type: github • Created: 2023-09-11 05:34:43 UTC • Stars: 0

ช่องโหว่ CVE-2023-35674 *สถานะ: ยังไม่เสร็จ*