{"id":"ASB-A-302431573","details":"In hide of WindowState.java, there is a possible way to bypass tapjacking/overlay protection by launching the activity in portrait mode first and then rotating it to landscape mode. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.","aliases":["A-302431573","CVE-2024-31324"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2024-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/f16cc1135b414906164eb8fc55a76971b0e36c21"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-06-01"}]}],"versions":["14-next"],"ecosystem_specific":{"spl":"2024-06-01","types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/9add9281ffc120c81a7d125892803f1beb5ddcb3"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/9add9281ffc120c81a7d125892803f1beb5ddcb3","digest":{"threshold":0.9,"line_hashes":["245473983391176718730302978641546328531","313924545993132266942307048621488058859","78977014087797705884292750982204257011","65386863379916081592018638255243931228","5552599176822769912654983223030363506"]},"signature_type":"Line","id":"ASB-A-302431573-85657139","deprecated":false,"signature_version":"v1","target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/9add9281ffc120c81a7d125892803f1beb5ddcb3","digest":{"function_hash":"293916606590406921557414224347428403917","length":897},"signature_type":"Function","id":"ASB-A-302431573-eebaecae","deprecated":false,"signature_version":"v1","target":{"file":"services/core/java/com/android/server/wm/WindowState.java","function":"hide"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-302431573.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2024-06-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2024-06-01","types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82"],"vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["245473983391176718730302978641546328531","313924545993132266942307048621488058859","78977014087797705884292750982204257011","65386863379916081592018638255243931228","5552599176822769912654983223030363506"]},"signature_type":"Line","id":"ASB-A-302431573-87113032","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82","target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}},{"signature_type":"Function","digest":{"function_hash":"293916606590406921557414224347428403917","length":897},"source":"https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82","id":"ASB-A-302431573-9bcb9968","deprecated":false,"signature_version":"v1","target":{"file":"services/core/java/com/android/server/wm/WindowState.java","function":"hide"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-302431573.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2024-06-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2024-06-01","types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82"],"vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["245473983391176718730302978641546328531","313924545993132266942307048621488058859","78977014087797705884292750982204257011","65386863379916081592018638255243931228","5552599176822769912654983223030363506"]},"signature_type":"Line","id":"ASB-A-302431573-2b649be8","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82","target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}},{"signature_version":"v1","digest":{"function_hash":"293916606590406921557414224347428403917","length":897},"signature_type":"Function","id":"ASB-A-302431573-d289eff7","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82","target":{"file":"services/core/java/com/android/server/wm/WindowState.java","function":"hide"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-302431573.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-06-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2024-06-01","types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82","digest":{"threshold":0.9,"line_hashes":["245473983391176718730302978641546328531","313924545993132266942307048621488058859","78977014087797705884292750982204257011","65386863379916081592018638255243931228","5552599176822769912654983223030363506"]},"signature_type":"Line","id":"ASB-A-302431573-01dcf300","deprecated":false,"signature_version":"v1","target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82","digest":{"function_hash":"293916606590406921557414224347428403917","length":897},"signature_type":"Function","deprecated":false,"id":"ASB-A-302431573-e43f85e0","signature_version":"v1","target":{"file":"services/core/java/com/android/server/wm/WindowState.java","function":"hide"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-302431573.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-06-01"}]}],"versions":["14"],"ecosystem_specific":{"spl":"2024-06-01","types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82","digest":{"line_hashes":["245473983391176718730302978641546328531","313924545993132266942307048621488058859","78977014087797705884292750982204257011","65386863379916081592018638255243931228","5552599176822769912654983223030363506"],"threshold":0.9},"signature_type":"Line","id":"ASB-A-302431573-9d4139a5","deprecated":false,"signature_version":"v1","target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/10a7f0914c87f4af521b5cbb13e84a83dacebf82","digest":{"function_hash":"293916606590406921557414224347428403917","length":897},"signature_type":"Function","id":"ASB-A-302431573-a0fdc2f0","deprecated":false,"signature_version":"v1","target":{"file":"services/core/java/com/android/server/wm/WindowState.java","function":"hide"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-302431573.json"}}],"schema_version":"1.7.5"}