CVE-2023-35674
Published: 11 September 2023
Summary
CVE-2023-35674 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 30.4th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2023-35674 is a logic error in the onCreate method of WindowState.java within the Android frameworks/base component. The flaw permits an application to launch a background activity, which can be leveraged for unauthorized actions on the device. It carries a CVSS 3.1 score of 7.8 and is tracked under CWE-269.
A local attacker with existing low-privileged access can exploit the issue without user interaction or additional execution rights, resulting in full escalation that affects confidentiality, integrity, and availability at a high level. The vulnerability resides in core window-management handling, allowing the malicious activity to bypass intended restrictions on background launches.
The September 2023 Android security bulletin addresses the issue through patches referenced in the public commit 7428962d3b064ce1122809d87af65099d1129c9e, and the flaw appears in CISA's known exploited vulnerabilities catalog. The current EPSS score remains low at 0.0012 with no indicated upward trajectory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-39674
Vulnerability details
In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not…
more
needed for exploitation.
- CWE(s)
- KEV Date Added
- 13 September 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the activity-launch restrictions that the flawed WindowState.java logic failed to apply, blocking unauthorized background execution.
Limits the set of permitted operations an installed app may perform, reducing the impact of any privilege escalation gained via the background-activity flaw.
Requires validation of launch-condition inputs and state checks inside onCreate, preventing the logic error that allowed silent background activity starts.