CVE-2024-31328
Logic Flaw in BroadcastController.java Enables Privilege Escalation
Publication date: 2026-03-02
Last updated on: 2026-03-06
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 14.0 | |
| android | 16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the broadcastIntentLockedTraced method of BroadcastController.java. Due to a logic error in the code, it is possible to launch arbitrary activities from the background on a paired companion phone. This means that an attacker can escalate their privileges locally without needing any additional execution privileges or user interaction.
How can this vulnerability impact me? :
The vulnerability allows an attacker to launch arbitrary activities on a paired companion phone from the background, potentially leading to local escalation of privileges. This could enable unauthorized actions or access on the device without the user's knowledge or interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know