CVE-2024-49742
Published: 21 January 2025
Description
In onCreate of NotificationAccessConfirmationActivity.java , there is a possible way to hide an app with notification access in Settings due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
Security Summary
CVE-2024-49742 is a vulnerability in the onCreate method of NotificationAccessConfirmationActivity.java within Android's Settings app, stemming from a missing permission check. This flaw allows an app with notification access to be hidden from the Settings interface, potentially enabling local escalation of privilege without requiring additional execution privileges. The issue was published on 2025-01-21 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-269 (Improper Privilege Management). User interaction is required for exploitation.
A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity (AC:L). Successful exploitation enables hiding notification access apps, leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) through privilege escalation on the affected Android device.
The Android Security Bulletin provides details on mitigation, available at https://source.android.com/security/bulletin/2025-01-01. Security practitioners should apply the recommended patches to address this issue in supported Android versions.
Details
- CWE(s)