{"id":"ASB-A-369103643","details":"In applyTaskFragmentOperation of WindowOrganizerController.java, there is a possible way to launch arbitrary activities as the system UID due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-369103643","CVE-2024-49737"],"modified":"2026-04-17T15:55:28.020024Z","published":"2025-01-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-01-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/5eb2aa58018c3e3b42c4574e76e9aa845ab31bff"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-01-01"}]}],"versions":["15-next"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/20c568e77eae5d469cd5e594b644d8645d830dbd"],"vanir_signatures":[{"digest":{"line_hashes":["247830753239969257885873247624590463164","221466244410249515856626539819557021675","269788443082532464705129411073175667603","93429399078353028099383205705581146863","303485001708872188488953942908528730903","237973310562149926607121392462167340335","181167633947030499191796485318783126492","148109783725599155833924821162785267763","111960032208563870104386455562406693993"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/base/+/20c568e77eae5d469cd5e594b644d8645d830dbd","signature_type":"Line","target":{"file":"services/core/java/com/android/server/wm/ActivityStartController.java"},"deprecated":false,"signature_version":"v1","id":"ASB-A-369103643-62490ddd"},{"digest":{"line_hashes":["182731028694053703641809109840598050601","232637503072892794895967908429165344939","13089435161022061320893909569743237690","168334595336395150687999161467293447816","161631339194587669886168761581488055762","253090262294093846784841518108590628549"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/base/+/20c568e77eae5d469cd5e594b644d8645d830dbd","signature_type":"Line","target":{"file":"services/core/java/com/android/server/wm/WindowOrganizerController.java"},"deprecated":false,"signature_version":"v1","id":"ASB-A-369103643-907c7f88"},{"digest":{"length":7432,"function_hash":"96498141685469445536557282481916479375"},"source":"https://android.googlesource.com/platform/frameworks/base/+/20c568e77eae5d469cd5e594b644d8645d830dbd","signature_type":"Function","target":{"file":"services/core/java/com/android/server/wm/WindowOrganizerController.java","function":"applyTaskFragmentOperation"},"deprecated":false,"signature_version":"v1","id":"ASB-A-369103643-938714f8"}],"spl":"2025-01-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-369103643.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-01-01"}]}],"versions":["15"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/31d655813075ed45f934080d1743231c3b75a0d2"],"spl":"2025-01-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-369103643.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-01-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/ef9ea0faa26e0ce0ee5e8dc70a663f98e04b0ca0"],"vanir_signatures":[{"digest":{"line_hashes":["247830753239969257885873247624590463164","221466244410249515856626539819557021675","63807911397127398893873232592809304717","324626324815413323839987247617310599301","303485001708872188488953942908528730903","237973310562149926607121392462167340335","181167633947030499191796485318783126492","148109783725599155833924821162785267763","111960032208563870104386455562406693993"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/base/+/ef9ea0faa26e0ce0ee5e8dc70a663f98e04b0ca0","signature_type":"Line","target":{"file":"services/core/java/com/android/server/wm/ActivityStartController.java"},"deprecated":false,"signature_version":"v1","id":"ASB-A-369103643-01d9292a"},{"digest":{"line_hashes":["288034330759454545749828417286440772737","70732883184502326222261677927881772729","125145677863081048291088641446390616547","307720510604394016663738182914756931362","159307390470164582163890545615796627319","219780262929468288463261191986071483534"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/base/+/ef9ea0faa26e0ce0ee5e8dc70a663f98e04b0ca0","signature_type":"Line","target":{"file":"services/core/java/com/android/server/wm/WindowOrganizerController.java"},"deprecated":false,"signature_version":"v1","id":"ASB-A-369103643-12f1f598"},{"digest":{"length":10099,"function_hash":"6273640658742789058457512313068402242"},"source":"https://android.googlesource.com/platform/frameworks/base/+/ef9ea0faa26e0ce0ee5e8dc70a663f98e04b0ca0","signature_type":"Function","target":{"file":"services/core/java/com/android/server/wm/WindowOrganizerController.java","function":"applyHierarchyOp"},"deprecated":false,"signature_version":"v1","id":"ASB-A-369103643-f89cdc72"}],"spl":"2025-01-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-369103643.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-01-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/198f7b559f9a13d5b9d26b41c6b95bc1e45fcb1e"],"vanir_signatures":[{"digest":{"length":4858,"function_hash":"204437010377938415305313386421056551892"},"source":"https://android.googlesource.com/platform/frameworks/base/+/198f7b559f9a13d5b9d26b41c6b95bc1e45fcb1e","signature_type":"Function","target":{"file":"services/core/java/com/android/server/wm/WindowOrganizerController.java","function":"applyTaskFragmentOperation"},"deprecated":false,"signature_version":"v1","id":"ASB-A-369103643-1b501a7f"},{"digest":{"line_hashes":["182731028694053703641809109840598050601","121976430543692563394842650948165224068","64384254864213543719623192695623721071","46685231285905702262550237476649330875","325520871240326503071717366354732856279","251301581520187244933596937037593687964"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/base/+/198f7b559f9a13d5b9d26b41c6b95bc1e45fcb1e","signature_type":"Line","target":{"file":"services/core/java/com/android/server/wm/WindowOrganizerController.java"},"deprecated":false,"signature_version":"v1","id":"ASB-A-369103643-34e3116c"},{"digest":{"line_hashes":["247830753239969257885873247624590463164","221466244410249515856626539819557021675","269788443082532464705129411073175667603","93429399078353028099383205705581146863","303485001708872188488953942908528730903","237973310562149926607121392462167340335","181167633947030499191796485318783126492","148109783725599155833924821162785267763","111960032208563870104386455562406693993"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/base/+/198f7b559f9a13d5b9d26b41c6b95bc1e45fcb1e","signature_type":"Line","target":{"file":"services/core/java/com/android/server/wm/ActivityStartController.java"},"deprecated":false,"signature_version":"v1","id":"ASB-A-369103643-6b875c9b"}],"spl":"2025-01-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-369103643.json"}}],"schema_version":"1.7.5"}