{"id":"ASB-A-230492947","details":"In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to bypass the restrictions on starting activities from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-230492947","CVE-2024-0036"],"modified":"2026-04-03T15:37:31.002635Z","published":"2024-02-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-02-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/3eaaa9687e90c65f51762deb343f18bef95d4e8e"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-02-01"}]}],"versions":["14-next"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"startNextMatchingActivity"},"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/e3c537ddea5ce8b28eeb89300ef602753cfe42a4","deprecated":false,"id":"ASB-A-230492947-3ad4ddf9","digest":{"length":2840,"function_hash":"19449996417798360393601174700087878694"}},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/e3c537ddea5ce8b28eeb89300ef602753cfe42a4","deprecated":false,"id":"ASB-A-230492947-942d555f","digest":{"threshold":0.9,"line_hashes":["120415229720468996380690857990573363595","327094437813866272250379025753693221449","339779152981538331835857088783300759202","177809087579538070238245537243034007378","269362116107589722058194574776708902081","53221371259381438459360905865126339575","155046736446939757154999034983477504036","64531953434324119995642499705604382882","333516042649489253463512250328517668790","311103090027810912653217446501431600245","311545419293262592779433611898598004330","64422315487152615121553626652131733082","233392774852901342234222876334376782423","143294482730940875398179024393826938036","266500950927352471030922760289034248797","252846042200044892050975798432609940730","90207434361406056614086818647479925625","185862110004074570606214595902031691087","178893089860124311825482289135588465674","83319913446240958768843604548327352688","218699958079514764527020125622997144089","306813342855486788261924650826877786723","105135349804760838859480469610730392589","102715412356406950219770955940244365114","254559775657009495532498420085276850740"]}}],"spl":"2024-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/e3c537ddea5ce8b28eeb89300ef602753cfe42a4"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230492947.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2024-02-01"}]}],"versions":["11"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/d8368be4f8fb7019ea24b4798f029301c704092c","deprecated":false,"id":"ASB-A-230492947-5244fe62","digest":{"threshold":0.9,"line_hashes":["120415229720468996380690857990573363595","327094437813866272250379025753693221449","339779152981538331835857088783300759202","177809087579538070238245537243034007378","269362116107589722058194574776708902081","211120903689026081872699511213836936458","177518341316800841019033746497660654053","90441556475865503974638013575629514139","274750268841000127607454789105091675295","311103090027810912653217446501431600245","311545419293262592779433611898598004330","64422315487152615121553626652131733082","233392774852901342234222876334376782423","143294482730940875398179024393826938036","266500950927352471030922760289034248797","252846042200044892050975798432609940730","90207434361406056614086818647479925625","185862110004074570606214595902031691087","178893089860124311825482289135588465674","83319913446240958768843604548327352688","218699958079514764527020125622997144089","306813342855486788261924650826877786723","105135349804760838859480469610730392589","102715412356406950219770955940244365114","187592578516121496378792813621002668412"]}},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"startNextMatchingActivity"},"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/d8368be4f8fb7019ea24b4798f029301c704092c","deprecated":false,"id":"ASB-A-230492947-8fad7864","digest":{"length":2843,"function_hash":"37162690762240711687969860934366843072"}}],"spl":"2024-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/d8368be4f8fb7019ea24b4798f029301c704092c"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230492947.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2024-02-01"}]}],"versions":["12"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"startNextMatchingActivity"},"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/d54a64bdf71d1c91542b6885149fd176622ad0b4","deprecated":false,"id":"ASB-A-230492947-8f085166","digest":{"length":2843,"function_hash":"37162690762240711687969860934366843072"}},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/d54a64bdf71d1c91542b6885149fd176622ad0b4","deprecated":false,"id":"ASB-A-230492947-aa032262","digest":{"threshold":0.9,"line_hashes":["120415229720468996380690857990573363595","327094437813866272250379025753693221449","339779152981538331835857088783300759202","177809087579538070238245537243034007378","269362116107589722058194574776708902081","211120903689026081872699511213836936458","177518341316800841019033746497660654053","90441556475865503974638013575629514139","274750268841000127607454789105091675295","311103090027810912653217446501431600245","311545419293262592779433611898598004330","64422315487152615121553626652131733082","233392774852901342234222876334376782423","143294482730940875398179024393826938036","266500950927352471030922760289034248797","252846042200044892050975798432609940730","90207434361406056614086818647479925625","185862110004074570606214595902031691087","178893089860124311825482289135588465674","83319913446240958768843604548327352688","218699958079514764527020125622997144089","306813342855486788261924650826877786723","105135349804760838859480469610730392589","102715412356406950219770955940244365114","187592578516121496378792813621002668412"]}}],"spl":"2024-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/d54a64bdf71d1c91542b6885149fd176622ad0b4"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230492947.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2024-02-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/d54a64bdf71d1c91542b6885149fd176622ad0b4","deprecated":false,"id":"ASB-A-230492947-274cd1e9","digest":{"threshold":0.9,"line_hashes":["120415229720468996380690857990573363595","327094437813866272250379025753693221449","339779152981538331835857088783300759202","177809087579538070238245537243034007378","269362116107589722058194574776708902081","211120903689026081872699511213836936458","177518341316800841019033746497660654053","90441556475865503974638013575629514139","274750268841000127607454789105091675295","311103090027810912653217446501431600245","311545419293262592779433611898598004330","64422315487152615121553626652131733082","233392774852901342234222876334376782423","143294482730940875398179024393826938036","266500950927352471030922760289034248797","252846042200044892050975798432609940730","90207434361406056614086818647479925625","185862110004074570606214595902031691087","178893089860124311825482289135588465674","83319913446240958768843604548327352688","218699958079514764527020125622997144089","306813342855486788261924650826877786723","105135349804760838859480469610730392589","102715412356406950219770955940244365114","187592578516121496378792813621002668412"]}},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"startNextMatchingActivity"},"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/d54a64bdf71d1c91542b6885149fd176622ad0b4","deprecated":false,"id":"ASB-A-230492947-dccbf8c3","digest":{"length":2843,"function_hash":"37162690762240711687969860934366843072"}}],"spl":"2024-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/d54a64bdf71d1c91542b6885149fd176622ad0b4"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230492947.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-02-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"startNextMatchingActivity"},"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/3e9da3ec4705b072dbe8a10e8ffc841f4928381c","deprecated":false,"id":"ASB-A-230492947-32408ac1","digest":{"length":2840,"function_hash":"19449996417798360393601174700087878694"}},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/3e9da3ec4705b072dbe8a10e8ffc841f4928381c","deprecated":false,"id":"ASB-A-230492947-9fe62e07","digest":{"threshold":0.9,"line_hashes":["120415229720468996380690857990573363595","327094437813866272250379025753693221449","339779152981538331835857088783300759202","177809087579538070238245537243034007378","269362116107589722058194574776708902081","53221371259381438459360905865126339575","155046736446939757154999034983477504036","64531953434324119995642499705604382882","333516042649489253463512250328517668790","311103090027810912653217446501431600245","311545419293262592779433611898598004330","64422315487152615121553626652131733082","233392774852901342234222876334376782423","143294482730940875398179024393826938036","266500950927352471030922760289034248797","252846042200044892050975798432609940730","90207434361406056614086818647479925625","185862110004074570606214595902031691087","178893089860124311825482289135588465674","83319913446240958768843604548327352688","218699958079514764527020125622997144089","306813342855486788261924650826877786723","105135349804760838859480469610730392589","102715412356406950219770955940244365114","254559775657009495532498420085276850740"]}}],"spl":"2024-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/3e9da3ec4705b072dbe8a10e8ffc841f4928381c"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230492947.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-02-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/e1edaa27ea2f6911977556c5bba876a2319d5e2d","deprecated":false,"id":"ASB-A-230492947-d2a3431f","digest":{"threshold":0.9,"line_hashes":["120415229720468996380690857990573363595","327094437813866272250379025753693221449","339779152981538331835857088783300759202","177809087579538070238245537243034007378","90207434361406056614086818647479925625","185862110004074570606214595902031691087","178893089860124311825482289135588465674","83319913446240958768843604548327352688","218699958079514764527020125622997144089","306813342855486788261924650826877786723","105135349804760838859480469610730392589","102715412356406950219770955940244365114","254559775657009495532498420085276850740"]}},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"startNextMatchingActivity"},"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/e1edaa27ea2f6911977556c5bba876a2319d5e2d","deprecated":false,"id":"ASB-A-230492947-e4ce0a98","digest":{"length":2840,"function_hash":"19449996417798360393601174700087878694"}}],"spl":"2024-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/e1edaa27ea2f6911977556c5bba876a2319d5e2d"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-230492947.json"}}],"schema_version":"1.7.5"}