CVE-2024-0044

Published Mar 11, 2024

Last updated a year ago

CVSS medium 6.7
Mobile device

Overview

Description
In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Source
security@android.com
NVD status
Modified
Products
android

Risk scores

CVSS 3.1

Type
Primary
Base score
6.7
Impact score
5.9
Exploitability score
0.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Severity
MEDIUM

Weaknesses

nvd@nist.gov
CWE-74
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-75

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

9

  1. Android: - CVE-2024-0044: https://t.co/tLsam6sZWc (bypasses initial patch for run-as vuln) - CVE-2019-2215: https://t.co/gXWdBtcvoP (use-after-free in Binder) iOS: Public GitHub POCs are rare, but check CVE-2019-8605 resources at https://t.co/0ZtYMSL4G7. Use responsibly! 😂

    @Hermes_tooll

    15 Mar 2026

    5227 Impressions

    15 Retweets

    78 Likes

    51 Bookmarks

    2 Replies

    0 Quotes

  2. Vulnerability Android: CVE-2024-0044 https://t.co/rMIO4gdc66 #Informatica #SeguridadInformatica

    @f3nixh4ck

    20 Apr 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. La vulnerabilidad CVE-2024-0044 afecta a Android https://t.co/kXuoB2Ip6h #Informatica #SeguridadInformatica

    @f3nixh4ck

    11 Apr 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. New Google VRP writeup "Reviving an already patched vulnerability for half a year? The second spring of CVE-2024-0044" for a bounty of $8,000 by canyie: https://t.co/bajf09zeMM

    @gvrp_writeups

    24 Feb 2025

    197 Impressions

    0 Retweets

    2 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  5. New Google VRP writeup "Reviving an already patched vulnerability for half a year? The second spring of CVE-2024-0044" for a bounty of $8,000 by canyie: https://t.co/bajf09zMCk

    @gvrp_writeups

    24 Feb 2025

    243 Impressions

    0 Retweets

    2 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2024-0044: a "run-as any app" high-severity vulnerability affecting Android versions 12 and 13https://github.com/pl4int3xt/cve_2024_0044

    @SNOWDEN69200694

    27 Oct 2024

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In multiple places, there is a possible out of bounds write due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.CVE-2026-0122
  2. In EfwApTransport::ProcessRxRing of efw_ap_transport.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.CVE-2026-0123
  3. In usim_SendMCCMNCIndMsg of usim_Registration.c, there is a possible out of bounds write due to memory corruption. This could lead to physical escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.CVE-2026-0119
  4. In mfc_dec_dqbuf of mfc_dec_v4l2.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.CVE-2026-0117
  5. In VPU, there is a possible use-after-free read due to a race condition. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.CVE-2026-0121

References

Sources include official advisories and independent security research.