Possible Local Escalation of Privilege Vulnerability in DreamService.java
CVE-2024-0015

7.8HIGH

Key Information:

Vendor: Google
Status: Android
Vendor: CVE Published:; 16 February 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The vulnerability in DreamService.java's convertToComponentName method poses a risk of launching arbitrary protected activities through intent redirection. This flaw could facilitate local escalation of privileges, enabling an attacker to execute potentially harmful activities with user execution privileges. Exploitation of this vulnerability does not require user interaction, which heightens the severity of the potential risk. Users and administrators are advised to promptly apply security updates and monitor related advisories to safeguard against possible exploits.

Affected Version(s)

Android 13

Android 12L

Android 12

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-0015
Created by UmVfX1BvaW50

References

https://android.googlesource.com/platform/frameworks/base...

https://source.android.com/security/bulletin/2024-01-01

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Mar 19, 2024
👾
Exploit known to exist
Mar 19, 2024
Vulnerability published
Feb 16, 2024
Vulnerability Reserved
Nov 16, 2023