{"id":"ASB-A-271576718","details":"In startActivityInner of ActivityStarter.java, there is a possible way to launch an activity into PiP mode from the background due to BAL bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-271576718","CVE-2023-21269"],"modified":"2026-04-28T15:17:37.552933Z","published":"2023-08-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-08-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/70ec64dc5a2a816d6aa324190a726a85fd749b30"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-08-01"}]}],"versions":["13-next"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-271576718-95f86224","source":"https://android.googlesource.com/platform/frameworks/base/+/7492cc27309a2f4a4ae5ff79a99096be1431a782","signature_version":"v1","target":{"file":"services/core/java/com/android/server/wm/ActivityStarter.java"},"digest":{"line_hashes":["134947529502951831668270656580359601373","277226130643309214419475919620173111237","198798168878448932504341959297564024104","237545856553853460085321395962383201414"],"threshold":0.9},"deprecated":false,"signature_type":"Line"},{"id":"ASB-A-271576718-b2254e09","source":"https://android.googlesource.com/platform/frameworks/base/+/7492cc27309a2f4a4ae5ff79a99096be1431a782","signature_version":"v1","target":{"function":"startActivityInner","file":"services/core/java/com/android/server/wm/ActivityStarter.java"},"digest":{"length":5300,"function_hash":"37306378361630926012919246178624735986"},"deprecated":false,"signature_type":"Function"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/7492cc27309a2f4a4ae5ff79a99096be1431a782"],"spl":"2023-08-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-271576718.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-08-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-271576718-368fda98","source":"https://android.googlesource.com/platform/frameworks/base/+/1848b559059e021d1a923513ca2a936c6212a7ac","signature_version":"v1","target":{"file":"services/core/java/com/android/server/wm/ActivityStarter.java"},"digest":{"line_hashes":["134947529502951831668270656580359601373","277226130643309214419475919620173111237","198798168878448932504341959297564024104","237545856553853460085321395962383201414"],"threshold":0.9},"deprecated":false,"signature_type":"Line"},{"id":"ASB-A-271576718-c9a96ec4","source":"https://android.googlesource.com/platform/frameworks/base/+/1848b559059e021d1a923513ca2a936c6212a7ac","signature_version":"v1","target":{"function":"startActivityInner","file":"services/core/java/com/android/server/wm/ActivityStarter.java"},"digest":{"length":4293,"function_hash":"141367226848251006641507464669532675536"},"deprecated":false,"signature_type":"Function"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/1848b559059e021d1a923513ca2a936c6212a7ac"],"spl":"2023-08-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-271576718.json"}}],"schema_version":"1.7.5"}