Cyber Resilience

CVE-2023-35674

HighCISA KEVActive ExploitationEUVD ExploitedLPE

Published: 11 September 2023

Published
11 September 2023
Modified
23 October 2025
KEV Added
13 September 2023
Patch
01 September 2023
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.4th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35674 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 30.4th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2023-35674 is a logic error in the onCreate method of WindowState.java within the Android frameworks/base component. The flaw permits an application to launch a background activity, which can be leveraged for unauthorized actions on the device. It carries a CVSS 3.1 score of 7.8 and is tracked under CWE-269.

A local attacker with existing low-privileged access can exploit the issue without user interaction or additional execution rights, resulting in full escalation that affects confidentiality, integrity, and availability at a high level. The vulnerability resides in core window-management handling, allowing the malicious activity to bypass intended restrictions on background launches.

The September 2023 Android security bulletin addresses the issue through patches referenced in the public commit 7428962d3b064ce1122809d87af65099d1129c9e, and the flaw appears in CISA's known exploited vulnerabilities catalog. The current EPSS score remains low at 0.0012 with no indicated upward trajectory.

EU & UK References

Vulnerability details

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not…

more

needed for exploitation.

CWE(s)
KEV Date Added
13 September 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
11.0, 12.0, 12.1, 13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the activity-launch restrictions that the flawed WindowState.java logic failed to apply, blocking unauthorized background execution.

prevent

Limits the set of permitted operations an installed app may perform, reducing the impact of any privilege escalation gained via the background-activity flaw.

prevent

Requires validation of launch-condition inputs and state checks inside onCreate, preventing the logic error that allowed silent background activity starts.

References