cve/2024/CVE-2024-0044.md

### [CVE-2024-0044](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0044)
![](https://img.shields.io/static/v1?label=Product&message=Android&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%2014%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Elevation%20of%20privilege&color=brighgreen)

### Description

In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

### POC

#### Reference
- https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-m7fh-f3w4-r6v2
- https://rtx.meta.security/exploitation/2024/03/04/Android-run-as-forgery.html

#### Github
No PoCs found on GitHub currently.