CVE-2023-35674

ENISA EUVD: EUVD-2023-39674 ↗
Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero
Triaged: March 5, 2026 2 articles Published: 2023-09-11
VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23
0.09%
probability
This CVE has a 0.09% probability of being exploited in the next 30 days.
0% Top 24.9th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)
8.8
HIGH
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)
In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Products

Google
Android
13 12L 12 11

Attack Intelligence

Google Project Zero

Patched
Sept. 5, 2023
Reported by
???
Root Cause Analysis
???

Exploits & PoC

SpiralBL0CK/Guide-and-theoretical-code-for-CVE-2023-35674

Guide and theoretical code for CVE-2023-35674

2 2024-10-15
Thampakon/CVE-2023-35674

ช่องโหว่ CVE-2023-35674 *สถานะ: ยังไม่เสร็จ*

0 2023-09-11
2 repos — triés par ⭐ Rechercher sur GitHub ↗

Signal Intelligence

Confidence
95%
EPSS 0.09%
CVSS v3.1 8.8
Mentions 2
Last Seen Sep 06, 2023

CNA Information

CNA Assigner
google_android

Analyst Note

Auto-imported from Google Project Zero — confirmed zero-day by definition.

Triage Info

Decided atMar 05, 2026
Published DateSep 11, 2023