Android Framework Activity Launch Vulnerability in ActivityTaskManagerService Allowing Background Activity Starts
Vulnerability
A vulnerability exists in the Android Framework's ActivityTaskManagerService that allows activities to be launched from the background. This issue arises from a logic error in the code, specifically in the startNextMatchingActivity function. The vulnerability could lead to a local escalation of privilege, as it allows an activity to be started with the privileges of the app that initiated the original activity, such as the Launcher app. Exploitation of this vulnerability does not require any additional execution privileges or user interaction.
Impact
Exploitation of this vulnerability could result in unauthorized activities being launched in the foreground, potentially leading to misuse of application privileges.
Reproduction
The vulnerability can be reproduced by calling the startNextMatchingActivity method from an activity that is not in the foreground. This can be done by sending an intent to the activity while it is in the background, which will trigger the method and launch the activity with the calling app's privileges.
Remediation
Users can update to the December 2025 security patch level to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.