{"id":"ASB-A-317048338","details":"In onTransact of ParcelableListBinder.java , there is a possible way to steal mAllowlistToken to launch an app from background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-317048338","CVE-2024-34723"],"modified":"2026-05-15T15:01:37.959123Z","published":"2024-07-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-07-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/c702bb71811993960debe0c18fcf8834cfa2454f"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-07-01"}]}],"versions":["14-next"],"ecosystem_specific":{"vanir_signatures":[{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java"},"id":"ASB-A-317048338-1e26853a","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/c5fc8ea92c0aabbb2fdccc23b743c18a8bf62e64","digest":{"threshold":0.9,"line_hashes":["277414439674915683742142744915414494344","9155515753219081534698570184541400972","108523684834901997976744731577859307119","207650444937645740851379120624853955330","131871105866204800642630690674865431182","253195722049323863173684665670044847624","207371717012017084315715725166305903847","130340700937132950314679418677373074842","209868289336708692528790631341754177785","246906291923128057153073030125872865137","112898930566137033651887153629522846317"]},"deprecated":false,"signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/media/MediaSessionRecord.java"},"id":"ASB-A-317048338-4d141020","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/c5fc8ea92c0aabbb2fdccc23b743c18a8bf62e64","digest":{"threshold":0.9,"line_hashes":["223098869778792187233221702169479404469","148411122483376070416404714235843314034","193648132976712986893750581745768761410","159704646286461114910839525191750144915","234419997433143833309551793298012071675","139060567859374558189901606618907421782","23501822227056199231068231509741477459","287348090354746631072460210529853813400","254726124340971479487934881966816465097"]},"deprecated":false,"signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/media/MediaSessionRecord.java","function":"getBinderForSetQueue"},"id":"ASB-A-317048338-adeafe8a","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/c5fc8ea92c0aabbb2fdccc23b743c18a8bf62e64","digest":{"length":212,"function_hash":"119401332131997474521646555619788514507"},"deprecated":false,"signature_version":"v1"},{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java","function":"onTransact"},"id":"ASB-A-317048338-ce77b485","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/c5fc8ea92c0aabbb2fdccc23b743c18a8bf62e64","digest":{"length":638,"function_hash":"119558734287650650039236647575312971643"},"deprecated":false,"signature_version":"v1"},{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java","function":"ParcelableListBinder"},"id":"ASB-A-317048338-e1e08e75","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/c5fc8ea92c0aabbb2fdccc23b743c18a8bf62e64","digest":{"length":58,"function_hash":"96502798840140682248892902518676650319"},"deprecated":false,"signature_version":"v1"}],"severity":"High","spl":"2024-07-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/c5fc8ea92c0aabbb2fdccc23b743c18a8bf62e64"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-317048338.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2024-07-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java","function":"onTransact"},"id":"ASB-A-317048338-097bc016","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":638,"function_hash":"119558734287650650039236647575312971643"},"deprecated":false,"signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/media/MediaSessionRecord.java","function":"getBinderForSetQueue"},"id":"ASB-A-317048338-1bdd3633","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":212,"function_hash":"119401332131997474521646555619788514507"},"deprecated":false,"signature_version":"v1"},{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java"},"id":"ASB-A-317048338-2d56e50d","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"threshold":0.9,"line_hashes":["277414439674915683742142744915414494344","9155515753219081534698570184541400972","108523684834901997976744731577859307119","207650444937645740851379120624853955330","131871105866204800642630690674865431182","253195722049323863173684665670044847624","207371717012017084315715725166305903847","130340700937132950314679418677373074842","209868289336708692528790631341754177785","246906291923128057153073030125872865137","112898930566137033651887153629522846317"]},"deprecated":false,"signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/media/MediaSessionRecord.java"},"id":"ASB-A-317048338-ac8b045c","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"threshold":0.9,"line_hashes":["223098869778792187233221702169479404469","148411122483376070416404714235843314034","193648132976712986893750581745768761410","159704646286461114910839525191750144915","234419997433143833309551793298012071675","139060567859374558189901606618907421782","23501822227056199231068231509741477459","287348090354746631072460210529853813400","254726124340971479487934881966816465097"]},"deprecated":false,"signature_version":"v1"},{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java","function":"ParcelableListBinder"},"id":"ASB-A-317048338-f07aa195","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":58,"function_hash":"96502798840140682248892902518676650319"},"deprecated":false,"signature_version":"v1"}],"severity":"High","spl":"2024-07-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-317048338.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2024-07-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java"},"id":"ASB-A-317048338-5f4d145c","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"threshold":0.9,"line_hashes":["277414439674915683742142744915414494344","9155515753219081534698570184541400972","108523684834901997976744731577859307119","207650444937645740851379120624853955330","131871105866204800642630690674865431182","253195722049323863173684665670044847624","207371717012017084315715725166305903847","130340700937132950314679418677373074842","209868289336708692528790631341754177785","246906291923128057153073030125872865137","112898930566137033651887153629522846317"]},"deprecated":false,"signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/media/MediaSessionRecord.java","function":"getBinderForSetQueue"},"id":"ASB-A-317048338-74817cf4","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":212,"function_hash":"119401332131997474521646555619788514507"},"deprecated":false,"signature_version":"v1"},{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java","function":"ParcelableListBinder"},"id":"ASB-A-317048338-9d0ab990","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":58,"function_hash":"96502798840140682248892902518676650319"},"deprecated":false,"signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/media/MediaSessionRecord.java"},"id":"ASB-A-317048338-a6a291aa","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"threshold":0.9,"line_hashes":["223098869778792187233221702169479404469","148411122483376070416404714235843314034","193648132976712986893750581745768761410","159704646286461114910839525191750144915","234419997433143833309551793298012071675","139060567859374558189901606618907421782","23501822227056199231068231509741477459","287348090354746631072460210529853813400","254726124340971479487934881966816465097"]},"deprecated":false,"signature_version":"v1"},{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java","function":"onTransact"},"id":"ASB-A-317048338-d0efc56d","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":638,"function_hash":"119558734287650650039236647575312971643"},"deprecated":false,"signature_version":"v1"}],"severity":"High","spl":"2024-07-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-317048338.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-07-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/media/MediaSessionRecord.java","function":"getBinderForSetQueue"},"id":"ASB-A-317048338-1e5114b9","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":212,"function_hash":"119401332131997474521646555619788514507"},"deprecated":false,"signature_version":"v1"},{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java","function":"ParcelableListBinder"},"id":"ASB-A-317048338-780241f8","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":58,"function_hash":"96502798840140682248892902518676650319"},"deprecated":false,"signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/media/MediaSessionRecord.java"},"id":"ASB-A-317048338-8ad2960c","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"threshold":0.9,"line_hashes":["223098869778792187233221702169479404469","148411122483376070416404714235843314034","193648132976712986893750581745768761410","159704646286461114910839525191750144915","234419997433143833309551793298012071675","139060567859374558189901606618907421782","23501822227056199231068231509741477459","287348090354746631072460210529853813400","254726124340971479487934881966816465097"]},"deprecated":false,"signature_version":"v1"},{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java","function":"onTransact"},"id":"ASB-A-317048338-aeee0688","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":638,"function_hash":"119558734287650650039236647575312971643"},"deprecated":false,"signature_version":"v1"},{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java"},"id":"ASB-A-317048338-ffe4cc06","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"threshold":0.9,"line_hashes":["277414439674915683742142744915414494344","9155515753219081534698570184541400972","108523684834901997976744731577859307119","207650444937645740851379120624853955330","131871105866204800642630690674865431182","253195722049323863173684665670044847624","207371717012017084315715725166305903847","130340700937132950314679418677373074842","209868289336708692528790631341754177785","246906291923128057153073030125872865137","112898930566137033651887153629522846317"]},"deprecated":false,"signature_version":"v1"}],"severity":"High","spl":"2024-07-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-317048338.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-07-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java"},"id":"ASB-A-317048338-1f5e3044","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"threshold":0.9,"line_hashes":["277414439674915683742142744915414494344","9155515753219081534698570184541400972","108523684834901997976744731577859307119","207650444937645740851379120624853955330","131871105866204800642630690674865431182","253195722049323863173684665670044847624","207371717012017084315715725166305903847","130340700937132950314679418677373074842","209868289336708692528790631341754177785","246906291923128057153073030125872865137","112898930566137033651887153629522846317"]},"deprecated":false,"signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/media/MediaSessionRecord.java"},"id":"ASB-A-317048338-246aa90f","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"threshold":0.9,"line_hashes":["223098869778792187233221702169479404469","148411122483376070416404714235843314034","193648132976712986893750581745768761410","159704646286461114910839525191750144915","234419997433143833309551793298012071675","139060567859374558189901606618907421782","23501822227056199231068231509741477459","287348090354746631072460210529853813400","254726124340971479487934881966816465097"]},"deprecated":false,"signature_version":"v1"},{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java","function":"onTransact"},"id":"ASB-A-317048338-2f65164b","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":638,"function_hash":"119558734287650650039236647575312971643"},"deprecated":false,"signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/media/MediaSessionRecord.java","function":"getBinderForSetQueue"},"id":"ASB-A-317048338-6337cc19","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":212,"function_hash":"119401332131997474521646555619788514507"},"deprecated":false,"signature_version":"v1"},{"target":{"file":"media/java/android/media/session/ParcelableListBinder.java","function":"ParcelableListBinder"},"id":"ASB-A-317048338-7bc299b1","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0","digest":{"length":58,"function_hash":"96502798840140682248892902518676650319"},"deprecated":false,"signature_version":"v1"}],"severity":"High","spl":"2024-07-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/df3584bb93ab89d7e174f7d39e42d4b22cb92fe0"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-317048338.json"}}],"schema_version":"1.7.5"}