Description

In BackgroundLaunchProcessController, there is a possible way to launch arbitrary activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Classification

CVE ID: CVE-2024-0034

CVSS Base Severity: HIGH

CVSS Base Score: 7.8

Affected Products

Vendor: Google

Product: Android

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.0% (probability of being exploited)

EPSS Percentile: 0.16% (scored less or equal to compared to others)

EPSS Date: 2025-04-17 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0034
https://android.googlesource.com/platform/frameworks/base/+/653f7b0d234693309dc86161af01831b64033fe6
https://source.android.com/security/bulletin/2024-02-01

Timeline