CVE-2023-35674

Name: CVE-2023-35674
Creator: NVD / NIST
Published: 2023-09-11T21:15:42.193+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.8/10Actively ExploitedEPSS 2.20%

Last modified Jun 17, 2026

CVE-2023-35674 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. CISA has confirmed active exploitation in the wild. EPSS estimates a 2.20% chance of exploitation in the next 30 days.

Description

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Metrics

CVSS 3.1

7.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

2.20%

80.3th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Oct 4, 2023.

Weakness Enumeration

CWE-269

Affected Software

Vendor	Product	Versions
Google	Android	11.0
Google	Android	12.0
Google	Android	12.1
Google	Android	13.0

References

https://android.googlesource.com/platform/frameworks/base/+/7428962d3b064ce1122809d87af65099d1129c9ePatch
https://source.android.com/security/bulletin/2023-09-01Patch, Vendor Advisory
https://android.googlesource.com/platform/frameworks/base/+/7428962d3b064ce1122809d87af65099d1129c9ePatch
https://source.android.com/security/bulletin/2023-09-01Patch, Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-35674Third Party Advisory, US Government Resource

Timeline

Published: Sep 11, 2023
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2023-35674?

How severe is CVE-2023-35674?

CVE-2023-35674 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 2.20% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2023-35674?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-35674?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST