{"id":"ASB-A-270368476","details":"In onTaskAppeared of PipTaskOrganizer.java, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-270368476","CVE-2023-40116"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2023-10-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-10-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/18c3b194642f3949d09e48c21da5658fa04994c8"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/18c3b194642f3949d09e48c21da5658fa04994c8"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-10-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2","deprecated":false,"target":{"file":"packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java"},"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["66409941875196780203679071720485759320","249825501416818358814829213642476147194","118699811272894210661265234708291264000","314904124287885909992861234525384513709","16119790279244530535461322802107562818","246494807188314216618621120050554696607","140513676057509253661067554560652494122","295050921507719318349337065064110109731","105045769641888133769977750158259718043","261734575546930252780250644523880121497","242913691792290724166339716119192646636","246781055635329598112787772846097277756","99438466694255604288644571851072757610"]},"id":"ASB-A-270368476-6163c3d5"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2","target":{"file":"packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java","function":"onTaskAppeared"},"digest":{"length":1410,"function_hash":"181491400177493555429237816646891076314"},"signature_type":"Function","signature_version":"v1","id":"ASB-A-270368476-62230532"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2","target":{"file":"packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java","function":"getValidSourceHintRect"},"digest":{"length":289,"function_hash":"39469595170827841739636224664203121629"},"signature_type":"Function","signature_version":"v1","id":"ASB-A-270368476-63f5e53e"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2"],"severity":"High","types":["EoP"],"spl":"2023-10-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-270368476.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-10-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"match_only_versions":["12"],"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["209429025854056159767914066393032300010","220444712238162245414505967688722991297","178767500888007998083315743702464392481","299257603002189761949365254086058776383","20542107226573851640259004201327613496","263103364633141960488986345083847579584","241829706067599882521182732383981463301","222059183804709081811937293704782343215","32839148087363786103231288248690155168","338689995397819220111778241252026700835"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea","deprecated":false,"target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java"},"signature_type":"Line","id":"ASB-A-270368476-34add312"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea","target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java","function":"startEnterAnimation"},"id":"ASB-A-270368476-3c8148fd","digest":{"length":1088,"function_hash":"38289670632256435549636737135832254850"},"signature_version":"v1","signature_type":"Function"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea","target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java","function":"onTaskAppeared"},"digest":{"length":2119,"function_hash":"160389746768882259763309770676722951051"},"signature_type":"Function","signature_version":"v1","id":"ASB-A-270368476-491f2d73"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea","target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java","function":"onTaskAppearedWithFixedRotation"},"id":"ASB-A-270368476-7450e521","digest":{"length":713,"function_hash":"316511690904435827584297228092807432492"},"signature_version":"v1","signature_type":"Function"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea","target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["63782221699039313840523007087291989928","45004624479083865885120527292616715238","97263869434801543928923037464445227885","71726101960436302332167399892895922560"]},"signature_version":"v1","id":"ASB-A-270368476-f3bea353"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea"],"severity":"High","types":["EoP"],"spl":"2023-10-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-270368476.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-10-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074","deprecated":false,"target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java","function":"onTaskAppearedWithFixedRotation"},"signature_version":"v1","signature_type":"Function","digest":{"length":752,"function_hash":"338005715330227342067705909101533423797"},"id":"ASB-A-270368476-5f896475"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074","target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java"},"digest":{"threshold":0.9,"line_hashes":["63782221699039313840523007087291989928","45004624479083865885120527292616715238","97263869434801543928923037464445227885","236889982355939381297150488357076962895"]},"signature_type":"Line","signature_version":"v1","id":"ASB-A-270368476-73710627"},{"match_only_versions":["12L"],"digest":{"threshold":0.9,"line_hashes":["209429025854056159767914066393032300010","220444712238162245414505967688722991297","178767500888007998083315743702464392481","299257603002189761949365254086058776383","20542107226573851640259004201327613496","263103364633141960488986345083847579584","241829706067599882521182732383981463301","222059183804709081811937293704782343215","32839148087363786103231288248690155168","67825956692415463057629696979124117501"]},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074","deprecated":false,"target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java"},"id":"ASB-A-270368476-913a7f5b","signature_type":"Line"},{"source":"https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074","deprecated":false,"target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java","function":"startEnterAnimation"},"signature_version":"v1","signature_type":"Function","digest":{"length":2174,"function_hash":"110587108648452807324641174991334861851"},"id":"ASB-A-270368476-91a09449"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074","target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java","function":"onTaskAppeared"},"id":"ASB-A-270368476-c5832c66","digest":{"length":2304,"function_hash":"56007200615144024626055728707502052307"},"signature_version":"v1","signature_type":"Function"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074"],"severity":"High","types":["EoP"],"spl":"2023-10-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-270368476.json"}}],"schema_version":"1.7.5"}