CVE-2024-49737
Published: 21 January 2025
Description
In applyTaskFragmentOperation of WindowOrganizerController.java, there is a possible way to launch arbitrary activities as the system UID due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Security Summary
CVE-2024-49737 is a logic error in the applyTaskFragmentOperation function of WindowOrganizerController.java within the Android Open Source Project. This flaw enables an attacker to launch arbitrary activities with system UID privileges, resulting in a local escalation of privilege. No additional execution privileges beyond basic local access are required, and user interaction is unnecessary for exploitation. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-276 (Incorrect Default Permissions).
A local attacker with low privileges, such as a malicious application or compromised user account on the device, can exploit this issue. By triggering the faulty logic in WindowOrganizerController, the attacker can execute arbitrary activities under the system UID, achieving full control over sensitive system functions and data. This grants high confidentiality, integrity, and availability impacts, potentially allowing persistent device compromise.
The Android Security Bulletin for 2025-01-01 details patches addressing this vulnerability, available at https://source.android.com/security/bulletin/2025-01-01. Security practitioners should ensure devices are updated to the latest monthly releases to mitigate exposure.
Details
- CWE(s)