CVE-2024-31328
Published: 02 March 2026
Summary
CVE-2024-31328 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Google Android. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-31328 is a logic error in the broadcastIntentLockedTraced function of BroadcastController.java within Android Wear OS. This vulnerability enables the launch of arbitrary activities from the background on a paired companion phone. Published on 2026-03-02, it carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-693.
An attacker with adjacent network access can exploit this issue with low complexity, no privileges, and no user interaction required. Successful exploitation allows local escalation of privilege on the companion phone, potentially compromising high levels of confidentiality, integrity, and availability.
The Android Wear OS security bulletin dated 2026-03-01 addresses this vulnerability with a patch, as detailed in the advisory at https://source.android.com/docs/security/bulletin/wear/2026/2026-03-01.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-29224
Vulnerability details
In broadcastIntentLockedTraced of BroadcastController.java, there is a possible way to launch arbitrary activities from the background on the paired companion phone due to a logic error in the code. This could lead to local escalation of privilege with no additional…
more
execution privileges needed. User interaction is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Logic flaw directly enables background arbitrary activity launch leading to local privilege escalation on companion device via exploitation of the vulnerability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires enforcement of approved authorizations for launching activities via broadcast intents, directly countering the logic error allowing background arbitrary launches.
Limits privileges of processes handling Wear OS broadcasts to companion phone, preventing escalation from unauthorized background activity launches.
Mandates timely identification, reporting, and correction of the specific logic flaw in BroadcastController.java, as addressed by the Android Wear OS patch.