{"id":"ASB-A-270368476", "published":"2023-10-01T00:00:00Z", "modified":"2026-04-29T15:10:00.007170452Z", "aliases":["CVE-2023-40116", "A-270368476"], "details":"In onTaskAppeared of PipTaskOrganizer.java, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2023-10-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2"], "severity":"High", "spl":"2023-10-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["66409941875196780203679071720485759320", "249825501416818358814829213642476147194", "118699811272894210661265234708291264000", "314904124287885909992861234525384513709", "16119790279244530535461322802107562818", "246494807188314216618621120050554696607", "140513676057509253661067554560652494122", "295050921507719318349337065064110109731", "105045769641888133769977750158259718043", "261734575546930252780250644523880121497", "242913691792290724166339716119192646636", "246781055635329598112787772846097277756", "99438466694255604288644571851072757610"], "threshold":0.9}, "id":"ASB-A-270368476-6163c3d5", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2", "target":{"file":"packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java"}}, {"deprecated":false, "digest":{"function_hash":"181491400177493555429237816646891076314", "length":1410}, "id":"ASB-A-270368476-62230532", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2", "target":{"file":"packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java", "function":"onTaskAppeared"}}, {"deprecated":false, "digest":{"function_hash":"39469595170827841739636224664203121629", "length":289}, "id":"ASB-A-270368476-63f5e53e", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a54d763886ffd69aa14360dc999c76cd2af263f2", "target":{"file":"packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java", "function":"getValidSourceHintRect"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2023-10-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea"], "severity":"High", "spl":"2023-10-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["209429025854056159767914066393032300010", "220444712238162245414505967688722991297", "178767500888007998083315743702464392481", "299257603002189761949365254086058776383", "20542107226573851640259004201327613496", "263103364633141960488986345083847579584", "241829706067599882521182732383981463301", "222059183804709081811937293704782343215", "32839148087363786103231288248690155168", "338689995397819220111778241252026700835"], "threshold":0.9}, "id":"ASB-A-270368476-34add312", "match_only_versions":["12"], "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java"}}, {"deprecated":false, "digest":{"function_hash":"38289670632256435549636737135832254850", "length":1088}, "id":"ASB-A-270368476-3c8148fd", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java", "function":"startEnterAnimation"}}, {"deprecated":false, "digest":{"function_hash":"160389746768882259763309770676722951051", "length":2119}, "id":"ASB-A-270368476-491f2d73", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java", "function":"onTaskAppeared"}}, {"deprecated":false, "digest":{"function_hash":"316511690904435827584297228092807432492", "length":713}, "id":"ASB-A-270368476-7450e521", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java", "function":"onTaskAppearedWithFixedRotation"}}, {"deprecated":false, "digest":{"line_hashes":["63782221699039313840523007087291989928", "45004624479083865885120527292616715238", "97263869434801543928923037464445227885", "71726101960436302332167399892895922560"], "threshold":0.9}, "id":"ASB-A-270368476-f3bea353", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/4fda9095ba9bdecb8250336d4f0ca328ed7c2aea", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2023-10-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074"], "severity":"High", "spl":"2023-10-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"338005715330227342067705909101533423797", "length":752}, "id":"ASB-A-270368476-5f896475", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java", "function":"onTaskAppearedWithFixedRotation"}}, {"deprecated":false, "digest":{"line_hashes":["63782221699039313840523007087291989928", "45004624479083865885120527292616715238", "97263869434801543928923037464445227885", "236889982355939381297150488357076962895"], "threshold":0.9}, "id":"ASB-A-270368476-73710627", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java"}}, {"deprecated":false, "digest":{"line_hashes":["209429025854056159767914066393032300010", "220444712238162245414505967688722991297", "178767500888007998083315743702464392481", "299257603002189761949365254086058776383", "20542107226573851640259004201327613496", "263103364633141960488986345083847579584", "241829706067599882521182732383981463301", "222059183804709081811937293704782343215", "32839148087363786103231288248690155168", "67825956692415463057629696979124117501"], "threshold":0.9}, "id":"ASB-A-270368476-913a7f5b", "match_only_versions":["12L"], "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java"}}, {"deprecated":false, "digest":{"function_hash":"110587108648452807324641174991334861851", "length":2174}, "id":"ASB-A-270368476-91a09449", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java", "function":"startEnterAnimation"}}, {"deprecated":false, "digest":{"function_hash":"56007200615144024626055728707502052307", "length":2304}, "id":"ASB-A-270368476-c5832c66", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/59ef2c19e559bfc3f29974d63735758185975074", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java", "function":"onTaskAppeared"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2023-10-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/18c3b194642f3949d09e48c21da5658fa04994c8"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/18c3b194642f3949d09e48c21da5658fa04994c8"}]}