Cyber Resilience

CVE-2024-0044

MediumPublic PoC

Published: 11 March 2024

Published
11 March 2024
Modified
28 January 2025
KEV Added
Patch
CVSS Score v3.1 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0918 92.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0044 is a medium-severity Injection (CWE-74) vulnerability in Google Android. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-0044 is an improper input validation flaw in the createSessionInternal method of PackageInstallerService.java within the Android frameworks/base component. The vulnerability permits an attacker to invoke run-as functionality against any installed application, resulting in local privilege escalation on the device.

A local attacker with existing high-privileged access, such as an ADB shell or system-level component, can exploit the issue without user interaction or additional permissions to execute code or access data under the identity of arbitrary apps. This yields full control over the targeted application's files, permissions, and runtime behavior on the affected Android system.

Public advisories reference multiple upstream patches committed to the Android framework repository and note inclusion in the October 2024 Android security bulletin, directing administrators to apply the corresponding monthly updates or cherry-pick the listed commits to close the validation gap. The associated EPSS score has remained essentially flat near 0.09 with no material post-disclosure rise.

EU & UK References

Vulnerability details

In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1134 Access Token Manipulation Stealth
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.
T1548 Abuse Elevation Control Mechanism Privilege Escalation
Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions.
T1554 Compromise Host Software Binary Persistence
Adversaries may modify host software binaries to establish persistent access to systems.
Why these techniques?

CVE-2024-0044 enables local privilege escalation (T1068) by injecting fake entries into packages.list via unsanitized installer package names, allowing run-as execution as any non-system app (abusing elevation control T1548 and token impersonation T1134); facilitates persistence (T1554) by modifying cached ODEX/VDEX executables loaded by GMS and dependent apps.

Affected Assets

google
android
12.0, 12.1, 13.0, 14.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References