CVE-2024-0044
Published: 11 March 2024
Summary
CVE-2024-0044 is a medium-severity Injection (CWE-74) vulnerability in Google Android. Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-0044 is an improper input validation flaw in the createSessionInternal method of PackageInstallerService.java within the Android frameworks/base component. The vulnerability permits an attacker to invoke run-as functionality against any installed application, resulting in local privilege escalation on the device.
A local attacker with existing high-privileged access, such as an ADB shell or system-level component, can exploit the issue without user interaction or additional permissions to execute code or access data under the identity of arbitrary apps. This yields full control over the targeted application's files, permissions, and runtime behavior on the affected Android system.
Public advisories reference multiple upstream patches committed to the Android framework repository and note inclusion in the October 2024 Android security bulletin, directing administrators to apply the corresponding monthly updates or cherry-pick the listed commits to close the validation gap. The associated EPSS score has remained essentially flat near 0.09 with no material post-disclosure rise.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-15847
Vulnerability details
In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-0044 enables local privilege escalation (T1068) by injecting fake entries into packages.list via unsanitized installer package names, allowing run-as execution as any non-system app (abusing elevation control T1548 and token impersonation T1134); facilitates persistence (T1554) by modifying cached ODEX/VDEX executables loaded by GMS and dependent apps.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.