CVE-2024-0047
MEDIUMAndroid - Local Denial of Service via Incorrect Device Policy Serialization Tag
Title source: llmDescription
In writeUserLP of UserManagerService.java, device policies are serialized with an incorrect tag due to a logic error in the code. This could lead to local denial of service when policies are deserialized on reboot with no additional execution privileges needed. User interaction is not needed for exploitation.
References (4)
Core 4
Core References
Patch
https://android.googlesource.com/platform/frameworks/base/+/3cd8a2c783fc736627b38f639fe4e239abcf6af1
Patch
https://android.googlesource.com/platform/frameworks/base/+/bd5cc7f03256b328438b9bc3791c6b811a2f1f17
Patch
https://android.googlesource.com/platform/frameworks/base/+/f516739398746fef7e0cf1437d9a40e2ad3c10bb
Patch, Vendor Advisory
https://source.android.com/security/bulletin/2024-03-01
Scores
CVSS v3
5.5
EPSS
0.0004
EPSS Percentile
11.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-502
Status
published
Products (1)
google/android
14.0
Published
Mar 11, 2024
Tracked Since
Feb 18, 2026