CVE-2024-31328

High

Published: 02 March 2026

Published

02 March 2026

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-31328 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Google Android. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Requires enforcement of approved authorizations for launching activities via broadcast intents, directly countering the logic error allowing background arbitrary launches.

AC-6 Least Privilege good match

prevent

Limits privileges of processes handling Wear OS broadcasts to companion phone, preventing escalation from unauthorized background activity launches.

SI-2 Flaw Remediation good match

preventrecover

Mandates timely identification, reporting, and correction of the specific logic flaw in BroadcastController.java, as addressed by the Android Wear OS patch.

NVD Description

In broadcastIntentLockedTraced of BroadcastController.java, there is a possible way to launch arbitrary activities from the background on the paired companion phone due to a logic error in the code. This could lead to local escalation of privilege with no additional…

execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2024-31328 is a logic error in the broadcastIntentLockedTraced function of BroadcastController.java within Android Wear OS. This vulnerability enables the launch of arbitrary activities from the background on a paired companion phone. Published on 2026-03-02, it carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-693.

An attacker with adjacent network access can exploit this issue with low complexity, no privileges, and no user interaction required. Successful exploitation allows local escalation of privilege on the companion phone, potentially compromising high levels of confidentiality, integrity, and availability.

The Android Wear OS security bulletin dated 2026-03-01 addresses this vulnerability with a patch, as detailed in the advisory at https://source.android.com/docs/security/bulletin/wear/2026/2026-03-01.

Details

CWE(s): CWE-693

Affected Products

google

android

14.0, 16.0

CVEs Like This One

CVE-2026-0118Same product: Google Android

CVE-2025-48626Same product: Google Android

CVE-2025-48602Same product: Google Android

CVE-2025-48605Same product: Google Android

CVE-2025-48653Same product: Google Android

CVE-2026-0011Same product: Google Android

CVE-2026-0017Same product: Google Android

CVE-2025-48635Same product: Google Android

CVE-2025-48574Same product: Google Android

CVE-2025-36920Same product: Google Android

References

https://source.android.com/docs/security/bulletin/wear/2026/2026-03-01
Vendor Advisory · security@android.com
https://source.android.com/docs/security/bulletin/wear/2026/2026-03-01
Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0