CVE-2023-35674

7.8 HIGH CISA KEV - Actively Exploited

Published: September 11, 2023 Modified: October 23, 2025

Description

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://android.googlesource.com/platform/frameworks/base/+/7428962d3b064ce1122809d87af65099d1129c9e

Source: security@android.com

Patch

https://source.android.com/security/bulletin/2023-09-01

Source: security@android.com

Patch Vendor Advisory

https://android.googlesource.com/platform/frameworks/base/+/7428962d3b064ce1122809d87af65099d1129c9e

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://source.android.com/security/bulletin/2023-09-01

Source: af854a3a-2127-422b-91ae-364da2661108

Patch Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-35674

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Third Party Advisory US Government Resource

5 reference(s) from NVD

Quick Stats

CVSS v3 Score

7.8 / 10.0

EPSS (Exploit Probability)

0.1%

26th percentile

Exploitation Status

Actively Exploited

Remediation due: 2023-10-04

Weaknesses (CWE)

CWE-269

Affected Vendors

google

Related CVEs

CVE-2025-52691 10.0

CVE-2025-15168 7.3

CVE-2025-15167 7.3

CVE-2025-15166 7.3

CVE-2025-15165 7.3