ASB-A-304082474 — Vulnetix

ASB-A-304082474 PUBLISHED

In startInstall of UpdateFetcher.java, there is a possible way to trigger a malicious config update due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Products

Vendor	Product	Versions
platform	vendor/google/services/ConfigUpdater	11, 12L:0, 12L

Exploit Intelligence

packageScanner_test.cpp (github-poc)
test_pipeline_blame.py (github-poc)

Timeline

Feb 1, 2024 CVE Published
May 15, 2026 CVE Updated

References

https://source.android.com/security/bulletin/2024-02-01 advisory

Open in Interactive Console →