{"id":"ASB-A-288896339","details":"In keyguardGoingAway of ActivityTaskManagerService.java, there is a possible lock screen bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-288896339","CVE-2023-40094"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2023-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/1120bc7e511710b1b774adf29ba47106292365e7"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2023-12-01"}]}],"versions":["14-next"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/bd2aa5d309c5bf8e73161975bd5aba7945b25e84"],"severity":"High","vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"keyguardGoingAway"},"source":"https://android.googlesource.com/platform/frameworks/base/+/bd2aa5d309c5bf8e73161975bd5aba7945b25e84","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"18450793016039751882161471123903104771","length":618},"id":"ASB-A-288896339-1c661055","deprecated":false},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"digest":{"threshold":0.9,"line_hashes":["130489095145400917776813713537007795442","278193841134142408998192934093106006356","330932791736218819777175471699729872299","56211969826742766420930325550656389895","127224605848258698820843035590132556834","264741881997647552184624361309976979613","101117958547520561979416695057660209376"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/bd2aa5d309c5bf8e73161975bd5aba7945b25e84","signature_type":"Line","signature_version":"v1","id":"ASB-A-288896339-2a158430","deprecated":false}],"spl":"2023-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-288896339.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-12-01"}]}],"versions":["11"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/ad8e7e3b1db22684988a179e23639567a4096ca6"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/ad8e7e3b1db22684988a179e23639567a4096ca6","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["130489095145400917776813713537007795442","104423481067330968789877443750909090044","23336195211901233531059176708158255384","56211969826742766420930325550656389895","127224605848258698820843035590132556834","264741881997647552184624361309976979613","101117958547520561979416695057660209376"]},"id":"ASB-A-288896339-10749946","deprecated":false},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"keyguardGoingAway"},"signature_type":"Function","digest":{"function_hash":"220605962547549702920589314919307302123","length":235},"source":"https://android.googlesource.com/platform/frameworks/base/+/ad8e7e3b1db22684988a179e23639567a4096ca6","signature_version":"v1","id":"ASB-A-288896339-6bf98c35","deprecated":false}],"spl":"2023-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-288896339.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-12-01"}]}],"versions":["12"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/7f28e3eaaf7c91c6b22ef89a9f18bfe081ba5b1e"],"severity":"High","vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/7f28e3eaaf7c91c6b22ef89a9f18bfe081ba5b1e","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["130489095145400917776813713537007795442","104423481067330968789877443750909090044","23336195211901233531059176708158255384","56211969826742766420930325550656389895","127224605848258698820843035590132556834","264741881997647552184624361309976979613","101117958547520561979416695057660209376"]},"id":"ASB-A-288896339-2cffc941","deprecated":false},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"keyguardGoingAway"},"digest":{"function_hash":"220605962547549702920589314919307302123","length":235},"source":"https://android.googlesource.com/platform/frameworks/base/+/7f28e3eaaf7c91c6b22ef89a9f18bfe081ba5b1e","signature_type":"Function","signature_version":"v1","id":"ASB-A-288896339-79f795f4","deprecated":false}],"spl":"2023-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-288896339.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-12-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/6568e40be92a15def8e0b6da9c3a18633a71cc3b"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"keyguardGoingAway"},"source":"https://android.googlesource.com/platform/frameworks/base/+/6568e40be92a15def8e0b6da9c3a18633a71cc3b","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"220605962547549702920589314919307302123","length":235},"id":"ASB-A-288896339-026a0854","deprecated":false},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/6568e40be92a15def8e0b6da9c3a18633a71cc3b","digest":{"threshold":0.9,"line_hashes":["130489095145400917776813713537007795442","104423481067330968789877443750909090044","23336195211901233531059176708158255384","56211969826742766420930325550656389895","127224605848258698820843035590132556834","264741881997647552184624361309976979613","101117958547520561979416695057660209376"]},"id":"ASB-A-288896339-38c5aaf8","deprecated":false}],"spl":"2023-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-288896339.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-12-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/41bc7c0042f1dd004179f32376f72a8811d83c6e"],"vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/41bc7c0042f1dd004179f32376f72a8811d83c6e","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"305551150509788336900740638482705596740","length":463},"id":"ASB-A-288896339-18d69855","target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"keyguardGoingAway"}},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/41bc7c0042f1dd004179f32376f72a8811d83c6e","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["130489095145400917776813713537007795442","104423481067330968789877443750909090044","23336195211901233531059176708158255384","56211969826742766420930325550656389895","127224605848258698820843035590132556834","264741881997647552184624361309976979613","101117958547520561979416695057660209376"]},"id":"ASB-A-288896339-a8923c81","deprecated":false}],"spl":"2023-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-288896339.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2023-12-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/d41eb87422d238a5c854e67ef73d300c9d1caf0c"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java"},"digest":{"threshold":0.9,"line_hashes":["130489095145400917776813713537007795442","278193841134142408998192934093106006356","330932791736218819777175471699729872299","56211969826742766420930325550656389895","127224605848258698820843035590132556834","264741881997647552184624361309976979613","101117958547520561979416695057660209376"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/d41eb87422d238a5c854e67ef73d300c9d1caf0c","signature_type":"Line","signature_version":"v1","id":"ASB-A-288896339-c635eb41","deprecated":false},{"target":{"file":"services/core/java/com/android/server/wm/ActivityTaskManagerService.java","function":"keyguardGoingAway"},"signature_type":"Function","digest":{"function_hash":"18450793016039751882161471123903104771","length":618},"source":"https://android.googlesource.com/platform/frameworks/base/+/d41eb87422d238a5c854e67ef73d300c9d1caf0c","signature_version":"v1","id":"ASB-A-288896339-fe32f71d","deprecated":false}],"spl":"2023-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-288896339.json"}}],"schema_version":"1.7.5"}