{"id":"ASB-A-336648613","details":"In setTransactionState of SurfaceFlinger.cpp, there is a possible way to perform tapjacking due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-336648613","CVE-2024-34743"],"modified":"2026-05-18T15:08:09.253695Z","published":"2024-08-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-08-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/native/+/3f85323b27d95a57bfa87cbf68dd4a143f9f88ad"}],"affected":[{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-08-01"}]}],"versions":["14-next"],"ecosystem_specific":{"spl":"2024-08-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/04e41761914c3c3aaca965103be3679b7a7af76f","https://android.googlesource.com/platform/frameworks/native/+/2fc9515b2ae8a4bb4729092c113eff117841a958"],"types":["EoP"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/native/+/04e41761914c3c3aaca965103be3679b7a7af76f","id":"ASB-A-336648613-14b4ad06","digest":{"line_hashes":["98259378003215290729200237477895687439","124351871409583557248646893027347472071","83269910493861560338894238969646644480","199318277824035700342671260286424773147"],"threshold":0.9},"signature_type":"Line","target":{"file":"services/surfaceflinger/SurfaceFlinger.cpp"},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/native/+/2fc9515b2ae8a4bb4729092c113eff117841a958","id":"ASB-A-336648613-165e16f9","digest":{"line_hashes":["119849422066859117998190507447921247582","233788605379638285463660867186484692767","258348330144295160924809948120583375696","140468011115421245451995813614498008597","92733186063308125086410512280235079644","202345375235487927167814672541795343501","320856776686287278756643701749370531887","6077737703250704013138677459097867481","147423824564164202981002604416402353662","24802709526932377582786707034229334080","303639753293515368215693811817733397226","70010450437343897477377129399488908447","309185948175512427659912767458363091160","251125231041549029302901415882271665226","262174218451291711126137892668652235802","160029374754896997520764646987278392060"],"threshold":0.9},"signature_type":"Line","target":{"file":"services/surfaceflinger/tests/Credentials_test.cpp"},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/native/+/04e41761914c3c3aaca965103be3679b7a7af76f","id":"ASB-A-336648613-347a5dc2","digest":{"function_hash":"298505913791856611425474582226856428156","length":3818},"signature_type":"Function","target":{"function":"SurfaceFlinger::setTransactionState","file":"services/surfaceflinger/SurfaceFlinger.cpp"},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/native/+/04e41761914c3c3aaca965103be3679b7a7af76f","id":"ASB-A-336648613-a5630507","digest":{"function_hash":"167139669641146282885240371798531393151","length":1451},"signature_type":"Function","target":{"function":"TEST_F","file":"services/surfaceflinger/tests/Credentials_test.cpp"},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/native/+/04e41761914c3c3aaca965103be3679b7a7af76f","id":"ASB-A-336648613-b8041d00","digest":{"line_hashes":["119849422066859117998190507447921247582","233788605379638285463660867186484692767","258348330144295160924809948120583375696","140468011115421245451995813614498008597","92733186063308125086410512280235079644","202345375235487927167814672541795343501","320856776686287278756643701749370531887","6077737703250704013138677459097867481","147423824564164202981002604416402353662","24802709526932377582786707034229334080","303639753293515368215693811817733397226","70010450437343897477377129399488908447","309185948175512427659912767458363091160","251125231041549029302901415882271665226","262174218451291711126137892668652235802","160029374754896997520764646987278392060"],"threshold":0.9},"signature_type":"Line","target":{"file":"services/surfaceflinger/tests/Credentials_test.cpp"},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/native/+/2fc9515b2ae8a4bb4729092c113eff117841a958","id":"ASB-A-336648613-c25669e5","digest":{"line_hashes":["98259378003215290729200237477895687439","124351871409583557248646893027347472071","83269910493861560338894238969646644480","199318277824035700342671260286424773147"],"threshold":0.9},"signature_type":"Line","target":{"file":"services/surfaceflinger/SurfaceFlinger.cpp"},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/native/+/2fc9515b2ae8a4bb4729092c113eff117841a958","id":"ASB-A-336648613-d7e1fae3","digest":{"function_hash":"330833214335412875635693904938078851747","length":3425},"signature_type":"Function","target":{"function":"SurfaceFlinger::setTransactionState","file":"services/surfaceflinger/SurfaceFlinger.cpp"},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/native/+/2fc9515b2ae8a4bb4729092c113eff117841a958","id":"ASB-A-336648613-febb3c7f","digest":{"function_hash":"167139669641146282885240371798531393151","length":1451},"signature_type":"Function","target":{"function":"TEST_F","file":"services/surfaceflinger/tests/Credentials_test.cpp"},"signature_version":"v1","deprecated":false}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-336648613.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-08-01"}]}],"versions":["14"],"ecosystem_specific":{"spl":"2024-08-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/f1ad68a1a9fbdeb62999ccaee21643783101157c"],"types":["EoP"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/native/+/f1ad68a1a9fbdeb62999ccaee21643783101157c","id":"ASB-A-336648613-199fc973","digest":{"function_hash":"167139669641146282885240371798531393151","length":1451},"signature_type":"Function","target":{"function":"TEST_F","file":"services/surfaceflinger/tests/Credentials_test.cpp"},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/native/+/f1ad68a1a9fbdeb62999ccaee21643783101157c","id":"ASB-A-336648613-a4c9fcb9","digest":{"line_hashes":["98259378003215290729200237477895687439","124351871409583557248646893027347472071","83269910493861560338894238969646644480","199318277824035700342671260286424773147"],"threshold":0.9},"signature_type":"Line","target":{"file":"services/surfaceflinger/SurfaceFlinger.cpp"},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/native/+/f1ad68a1a9fbdeb62999ccaee21643783101157c","id":"ASB-A-336648613-b602c7ed","digest":{"line_hashes":["119849422066859117998190507447921247582","233788605379638285463660867186484692767","258348330144295160924809948120583375696","140468011115421245451995813614498008597","92733186063308125086410512280235079644","202345375235487927167814672541795343501","320856776686287278756643701749370531887","6077737703250704013138677459097867481","147423824564164202981002604416402353662","24802709526932377582786707034229334080","303639753293515368215693811817733397226","70010450437343897477377129399488908447","309185948175512427659912767458363091160","251125231041549029302901415882271665226","262174218451291711126137892668652235802","160029374754896997520764646987278392060"],"threshold":0.9},"signature_type":"Line","target":{"file":"services/surfaceflinger/tests/Credentials_test.cpp"},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/native/+/f1ad68a1a9fbdeb62999ccaee21643783101157c","id":"ASB-A-336648613-b7b1246b","digest":{"function_hash":"330833214335412875635693904938078851747","length":3425},"signature_type":"Function","target":{"function":"SurfaceFlinger::setTransactionState","file":"services/surfaceflinger/SurfaceFlinger.cpp"},"signature_version":"v1","deprecated":false}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-336648613.json"}}],"schema_version":"1.7.5"}