Cyber Resilience

CVE-2024-49737

High

Published: 21 January 2025

Published
21 January 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49737 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-49737 is a logic error in the applyTaskFragmentOperation function of WindowOrganizerController.java within the Android Open Source Project. This flaw enables an attacker to launch arbitrary activities with system UID privileges, resulting in a local escalation of privilege. No additional execution privileges beyond basic local access are required, and user interaction is unnecessary for exploitation. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-276 (Incorrect Default Permissions).

A local attacker with low privileges, such as a malicious application or compromised user account on the device, can exploit this issue. By triggering the faulty logic in WindowOrganizerController, the attacker can execute arbitrary activities under the system UID, achieving full control over sensitive system functions and data. This grants high confidentiality, integrity, and availability impacts, potentially allowing persistent device compromise.

The Android Security Bulletin for 2025-01-01 details patches addressing this vulnerability, available at https://source.android.com/security/bulletin/2025-01-01. Security practitioners should ensure devices are updated to the latest monthly releases to mitigate exposure.

EU & UK References

Vulnerability details

In applyTaskFragmentOperation of WindowOrganizerController.java, there is a possible way to launch arbitrary activities as the system UID due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User…

more

interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via logic flaw in system component, matching Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-53841Same product: Google Android
CVE-2024-34730Same product: Google Android
CVE-2024-49735Same product: Google Android
CVE-2024-49732Same product: Google Android
CVE-2024-53835Same product: Google Android
CVE-2024-43769Same product: Google Android
CVE-2024-53840Same product: Google Android
CVE-2024-43765Same product: Google Android
CVE-2024-49744Same product: Google Android
CVE-2018-9434Same product: Google Android

Affected Assets

google
android
13.0, 14.0, 15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the logic error in applyTaskFragmentOperation by applying vendor patches from Android Security Bulletins to prevent privilege escalation.

prevent

Enforces approved authorizations to block unauthorized launches of arbitrary activities as system UID in WindowOrganizerController.

prevent

Implements a tamper-resistant reference monitor to mediate and correctly enforce access control decisions in the flawed function.

References