{"id":"ASB-A-324321147","details":"In rebootRecoveryWithCommand of RecoverySystemService.java, there is a possible way to bypass a factory reset due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-324321147","CVE-2024-32896","PUB-A-324321147"],"modified":"2026-04-10T16:16:18.068628Z","published":"2024-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/system/sepolicy/+/92cbf8d4f18ccb2c488f50b7300bd6bfc33023aa"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/8b7b2c66ca96d711fb364cbcc9d655197d9743e0"}],"affected":[{"package":{"name":"platform/build/soong","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2024-09-01"}]}],"versions":["15-next"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/build/soong/+/c8170926f66853d4ff38e48c7af4ab9fdf0ae5ae"],"severity":"High","spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2024-09-01"}]}],"versions":["15-next"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/05b1440e06c84212b4353be7f5cbe97fd1bccafb"],"severity":"High","spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}},{"package":{"name":"platform/hardware/interfaces","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2024-09-01"}]}],"versions":["15-next"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/hardware/interfaces/+/ea595e8e4f01272c0d2664bf7d7ec3710a697709"],"severity":"High","spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}},{"package":{"name":"platform/system/sepolicy","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2024-09-01"}]}],"versions":["15-next"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/system/sepolicy/+/d157988ec5b5f057894fe7ff785f163291d9d767","https://android.googlesource.com/platform/system/sepolicy/+/ca6c75b9572904b0bd8f9d06c8aff2f85e73e30e"],"severity":"High","spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2024-09-01"}]}],"versions":["12"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/9cdf9eae2e02a6c3651379c33c4655368b009d13"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/9cdf9eae2e02a6c3651379c33c4655368b009d13","signature_type":"Function","target":{"function":"rebootRecoveryWithCommand","file":"services/core/java/com/android/server/recoverysystem/RecoverySystemService.java"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"139922616437392163507278178696116101270","length":286},"id":"ASB-A-324321147-10881165"},{"source":"https://android.googlesource.com/platform/frameworks/base/+/9cdf9eae2e02a6c3651379c33c4655368b009d13","signature_type":"Line","target":{"file":"keystore/java/android/security/AndroidKeyStoreMaintenance.java"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["215485146313622133872370603463836092731","205619386683574268652504478022636040735","235763321046038053102798807198667731616","7688259249438231920505158748089878033","118716778913461625128780261708081465621","315986714790696207876844379763168183773","240590361150340286664442456230007112536"],"threshold":0.9},"id":"ASB-A-324321147-541a37d8"},{"source":"https://android.googlesource.com/platform/frameworks/base/+/9cdf9eae2e02a6c3651379c33c4655368b009d13","signature_type":"Line","target":{"file":"services/core/java/com/android/server/recoverysystem/RecoverySystemService.java"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["290337205886082135664529271757085873662","44429003753278533918622652126628414746","95327427366099733971419211419415740775","193889559835343262853449875426062891055","52224330636178064851567392536525593756","34502311669572159593657740304219709331","248090791415092687519252799318411576738","275981375170790350061832965663579552572","335827388881238834665748622198376128843","4225917573281046722291225321582006865","23071830967478108637982025294452876294","4229832248663760137762095319238212756","34119448714758358513840952482255755156","692012383037161591342128733200314459","230973617615232794927698200478858730588","167845493303323722965697666503820776122","295029509456953677546158947474111980930","7882601665261321662698907659192602205","138761776906697323821268530347604769319","219182742916591629188321973430301238698","133865736767393987389982785909657267233","147530044308696879745964161830830661050","311420992284092135004605336394684948551"],"threshold":0.9},"id":"ASB-A-324321147-c69ca7d2"}],"spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}},{"package":{"name":"platform/system/sepolicy","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2024-09-01"}]}],"versions":["12"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/system/sepolicy/+/837b024352038cb552b7c2473bf0707345550b78"],"severity":"High","spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2024-09-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/1e81807b183f08c9b7a68d225afff8b9ffb60fbe"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/1e81807b183f08c9b7a68d225afff8b9ffb60fbe","signature_type":"Function","target":{"function":"rebootRecoveryWithCommand","file":"services/core/java/com/android/server/recoverysystem/RecoverySystemService.java"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"139922616437392163507278178696116101270","length":286},"id":"ASB-A-324321147-05a5992e"},{"source":"https://android.googlesource.com/platform/frameworks/base/+/1e81807b183f08c9b7a68d225afff8b9ffb60fbe","signature_type":"Line","target":{"file":"services/core/java/com/android/server/recoverysystem/RecoverySystemService.java"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["290337205886082135664529271757085873662","44429003753278533918622652126628414746","95327427366099733971419211419415740775","193889559835343262853449875426062891055","52224330636178064851567392536525593756","34502311669572159593657740304219709331","248090791415092687519252799318411576738","275981375170790350061832965663579552572","335827388881238834665748622198376128843","4225917573281046722291225321582006865","23071830967478108637982025294452876294","4229832248663760137762095319238212756","34119448714758358513840952482255755156","692012383037161591342128733200314459","230973617615232794927698200478858730588","167845493303323722965697666503820776122","295029509456953677546158947474111980930","7882601665261321662698907659192602205","138761776906697323821268530347604769319","219182742916591629188321973430301238698","133865736767393987389982785909657267233","147530044308696879745964161830830661050","311420992284092135004605336394684948551"],"threshold":0.9},"id":"ASB-A-324321147-737d1509"},{"source":"https://android.googlesource.com/platform/frameworks/base/+/1e81807b183f08c9b7a68d225afff8b9ffb60fbe","signature_type":"Line","target":{"file":"keystore/java/android/security/AndroidKeyStoreMaintenance.java"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["215485146313622133872370603463836092731","205619386683574268652504478022636040735","235763321046038053102798807198667731616","7688259249438231920505158748089878033","118716778913461625128780261708081465621","315986714790696207876844379763168183773","240590361150340286664442456230007112536"],"threshold":0.9},"id":"ASB-A-324321147-fd581bd1"}],"spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}},{"package":{"name":"platform/system/sepolicy","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2024-09-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/system/sepolicy/+/844c799e6091c23d1dec8dc1a57b1c5c0f9ff7da"],"severity":"High","spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-09-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/d020a38e4148a642e2f06363e27cce60097efa5d"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/d020a38e4148a642e2f06363e27cce60097efa5d","signature_type":"Line","target":{"file":"keystore/java/android/security/AndroidKeyStoreMaintenance.java"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["215485146313622133872370603463836092731","205619386683574268652504478022636040735","235763321046038053102798807198667731616","7688259249438231920505158748089878033","118716778913461625128780261708081465621","315986714790696207876844379763168183773","240590361150340286664442456230007112536"],"threshold":0.9},"id":"ASB-A-324321147-a9d3d13f"},{"source":"https://android.googlesource.com/platform/frameworks/base/+/d020a38e4148a642e2f06363e27cce60097efa5d","signature_type":"Function","target":{"function":"rebootRecoveryWithCommand","file":"services/core/java/com/android/server/recoverysystem/RecoverySystemService.java"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"139922616437392163507278178696116101270","length":286},"id":"ASB-A-324321147-d3498f0f"},{"source":"https://android.googlesource.com/platform/frameworks/base/+/d020a38e4148a642e2f06363e27cce60097efa5d","signature_type":"Line","target":{"file":"services/core/java/com/android/server/recoverysystem/RecoverySystemService.java"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["290337205886082135664529271757085873662","44429003753278533918622652126628414746","95327427366099733971419211419415740775","193889559835343262853449875426062891055","52224330636178064851567392536525593756","34502311669572159593657740304219709331","248090791415092687519252799318411576738","275981375170790350061832965663579552572","335827388881238834665748622198376128843","4225917573281046722291225321582006865","23071830967478108637982025294452876294","4229832248663760137762095319238212756","34119448714758358513840952482255755156","692012383037161591342128733200314459","230973617615232794927698200478858730588","167845493303323722965697666503820776122","295029509456953677546158947474111980930","7882601665261321662698907659192602205","138761776906697323821268530347604769319","219182742916591629188321973430301238698","133865736767393987389982785909657267233","147530044308696879745964161830830661050","311420992284092135004605336394684948551"],"threshold":0.9},"id":"ASB-A-324321147-e20614f5"}],"spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}},{"package":{"name":"platform/system/sepolicy","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-09-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/system/sepolicy/+/72313f580e19af6fbbe95187881c4771a0f2416b"],"severity":"High","spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-09-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/c85d5febdc186f7fa1af2d0a6bdf705683437a98"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/c85d5febdc186f7fa1af2d0a6bdf705683437a98","signature_type":"Line","target":{"file":"services/core/java/com/android/server/recoverysystem/RecoverySystemService.java"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["290337205886082135664529271757085873662","44429003753278533918622652126628414746","95327427366099733971419211419415740775","193889559835343262853449875426062891055","234414802658805065033155889456798918156","243942422904347728247854685558340666159","94715560017765580375664593237494171610","253945846818432226472765210389068817276","335827388881238834665748622198376128843","4225917573281046722291225321582006865","23071830967478108637982025294452876294","4229832248663760137762095319238212756","34119448714758358513840952482255755156","692012383037161591342128733200314459","230973617615232794927698200478858730588","167845493303323722965697666503820776122","295029509456953677546158947474111980930","7882601665261321662698907659192602205","138761776906697323821268530347604769319","219182742916591629188321973430301238698","133865736767393987389982785909657267233","147530044308696879745964161830830661050","311420992284092135004605336394684948551"],"threshold":0.9},"id":"ASB-A-324321147-4dca8057"},{"source":"https://android.googlesource.com/platform/frameworks/base/+/c85d5febdc186f7fa1af2d0a6bdf705683437a98","signature_type":"Function","target":{"function":"rebootRecoveryWithCommand","file":"services/core/java/com/android/server/recoverysystem/RecoverySystemService.java"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"139922616437392163507278178696116101270","length":286},"id":"ASB-A-324321147-644d5a01"},{"source":"https://android.googlesource.com/platform/frameworks/base/+/c85d5febdc186f7fa1af2d0a6bdf705683437a98","signature_type":"Line","target":{"file":"keystore/java/android/security/AndroidKeyStoreMaintenance.java"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["215485146313622133872370603463836092731","205619386683574268652504478022636040735","235763321046038053102798807198667731616","7688259249438231920505158748089878033","118716778913461625128780261708081465621","315986714790696207876844379763168183773","240590361150340286664442456230007112536"],"threshold":0.9},"id":"ASB-A-324321147-9446850c"}],"spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}},{"package":{"name":"platform/system/sepolicy","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-09-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/system/sepolicy/+/414d63d9d869912a12c23b19d273bccaa7b077d8"],"severity":"High","spl":"2024-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-324321147.json"}}],"schema_version":"1.7.5"}