Local Privilege Escalation in Android WindowOrganizerController by Google
CVE-2024-49737

7.8HIGH

Key Information:

Vendor: Google
Status: Android
Vendor: CVE Published:; 21 January 2025

Summary

A vulnerability exists in the WindowOrganizerController.java component where a logic error allows for the unintended launching of arbitrary activities as the system user ID. This flaw can lead to local privilege escalation without requiring any additional execution permissions or user interaction. This poses a significant security risk as it can enable malicious actors to exploit the underlying system permissions. Addressing this issue is critical to maintaining the integrity of the Android operating system.

Affected Version(s)

Android 15

Android 14

Android 13

References

https://source.android.com/security/bulletin/2025-01-01

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 21, 2025