惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
S
Securelist
P
Privacy & Cybersecurity Law Blog
Scott Helme
Scott Helme
T
Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
量子位
博客园 - Franky
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
T
Troy Hunt's Blog
N
News | PayPal Newsroom
Google Online Security Blog
Google Online Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
N
Netflix TechBlog - Medium
小众软件
小众软件
P
Palo Alto Networks Blog
Spread Privacy
Spread Privacy
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Check Point Blog
aimingoo的专栏
aimingoo的专栏
WordPress大学
WordPress大学
L
Lohrmann on Cybersecurity
L
LINUX DO - 最新话题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Last Watchdog
The Last Watchdog
S
Security @ Cisco Blogs
P
Privacy International News Feed
Last Week in AI
Last Week in AI
Microsoft Security Blog
Microsoft Security Blog
T
Tailwind CSS Blog
博客园_首页
云风的 BLOG
云风的 BLOG
V
Vulnerabilities – Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
酷 壳 – CoolShell
酷 壳 – CoolShell
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
罗磊的独立博客
Engineering at Meta
Engineering at Meta
Forbes - Security
Forbes - Security
T
Tenable Blog

残页的小博客

Android 安全 常用技巧合集 - 残页的小博客 Android 2026 年每月安全补丁分析索引 - 残页的小博客 频道内容备份 - 残页的小博客 Android Runtime Resources Overlay 加载时序分析 CVE-2024-49721 InputMethodSubtypeArray 反序列化漏洞分析 - 残页的小博客 Android 2025 年每月安全补丁分析索引 - 残页的小博客 Self-changing Data Type - CVE-2024-40676 漏洞分析 Android 平台常见安全漏洞类型 - 残页的小博客 Reviving an already patched vulnerability for half a year? The second spring of CVE-2024-0044 MagiskEoP (CVE-2024-48336): Magisk App Arbitrary Code Execution Vulnerability Android 2023-12 ~ 2024 每月安全补丁分析索引 在故事开始之前的故事:Android 启动过程与 magiskinit 分析 - 残页的小博客 若人生是场大梦啊——记我人生的前19年 - 残页的小博客 写给 Android 开发者的系统基础知识科普 - 残页的小博客 Android Property 实现解析与黑魔法 - 残页的小博客 从电子厂逃离的 17 岁 - 2021 年终总结 检测Magisk与Xposed - 残页的小博客 《空中浩劫》里的法航447 - 残页的小博客 通过系统的native bridge实现注入zygote - 残页的小博客 Android R上的隐藏API限制学习笔记 - 残页的小博客 ART上的动态Java方法hook框架 - 残页的小博客
CVE-2026-0091: An issue in android window management to Arbitrary Code Execution in Launcher process
2026-07-08 · via 残页的小博客

This issue CVE-2026-0091 has been fixed for Android 14+ in June 2026 Android Security Bulletin. Click here to see the patch

The following is copied from my repo https://github.com/canyie/TransitionPlayer for backup purposes. For more info such as PoC code, please check the original repo.

Writeup

TODO

I’ll complete the writeup when I got a little free time

But before that I have to fight against school work and exams

I decided to complete the section before exams are finished

Good luck to me 😇

Introduction to IApplicationThread

IApplicationThread is a private callback provided to system from apps so that system can use it to send commands (load specified app, notify changes of component lifecycle, etc) to app

It is intended to only usable from system, so there are no permission checks, and security is guaranteed solely by the fact that the object is not obtained by a malicious process. This sounds somewhat similar to the concept of “cookies” or “tokens” in web. Such access control model is called as Capability-based Security

If someone else managed to obtain an IApplicationThread from other processes, they can send arbitrary commands and the victim app would just process the fabricated commands like they were generated by system. In a previous exploit of CVE-2022-20452 the trick was used to perform arbitrary code execution

RemoteTransition

While IApplicationThread should only be passed to system process, it can be unexpectedly sent out of system_server

No one would implement an getIApplicationThreadForApp(String packageName) API that is exposed to any one, it is an obvious security violation

But if IApplicationThread is wrapped in another object and the outer wrapper object gets sent, it is a more likely scenario

RemoteTransition is such a wrapper which contains an IApplicationThread in order to boost priority of app that is running an animation

One user of that API is Launcher3, the default home application on AOSP and Pixel devices, which creates an ActivityOptions using a RemoteTransition and then pass it to startActivity()

While Launcher3 itself does not expose the object to untrusted factors, the system_server sometimes does

CVE-2022-20419 occurred because system_server forwarded caller-passed ActivityOptions to launched app but forgot to strip RemoteTransition, allowing launched app to receive it and load arbitrary code inside launcher process

TransitionPlayer

During shared-element transition animation, a lot of work has to done and communications need to happen between WMCore and WMShell, where WM means Window Manager

You can read this article to understand WMShell

As WMCore and WMShell runs in different processes (WMCore runs in system_server and WMShell runs in SystemUI), they utilize the Binder mechanism to talk with each other

WMCore exposed a Binder registerTransitionPlayer API and WMShell uses it to register its own binder

When animation is started, WMCore calls requestStartTransition and TransitionRequestInfo is passed to remote, which includes the initial RemoteTransition

So if we can replace the transition player, we will be able to retrieve Launcher’s IApplicationThread and achieve arbitrary code execution inside a privileged process

However, registerTransitionPlayer is protected by MANAGE_ACTIVITY_TASKS permission which 3rd party app can’t get

But adb shell can also run untrusted user code, and the shell is granted MANAGE_ACTIVITY_TASKS permission, so luckily we can launch attack from adb shell

Impact

It’s a funny question that what can attackers do through this vulnerability

As most permissions granted to Launcher are also held by adb shell, attackers who already able to execute code under shell identity don’t need to exploit this vulnerability to compromise device

This is more like an educational example project for learning IApplicationThread than an exploit that can be used by malicious app

However, someone may be still be interested in this one

For example, this can be used to extract Launcher’s private files, which can be useful in forensic analysis for malicious Launcher apps without rooting device. Previously this was achieved by exploiting CVE-2024-31317, and my finding reveals another method after the previous one was fixed

This also allows users to use Fabricated Runtime Resources Overlay (FRRO) without first rooting their device, so rootless custom themes is back after CVE-2021-39630 was patched. My exploit has demonstrated this by setting android:integer/config_multiuserMaximumUsers to 100

In addition, the Launcher also hosts the Recents screen component by default and thus is allowlisted for some privileged actions. I think the Launcher is allowed to start arbitrary activity in an existing task regardless of exported/permission settings of launched Activities which might be wanted by some device management tool apps, although I haven’t tested it myself

Test

https://github.com/canyie/TransitionPlayer

Build the project, install generated apk file (if you use the Run button inside Android Studio, turn on “Always install with package manager”)

Run the following command on PC

1
adb shell app_process '-Djava.class.path=$(pm path top.canyie.transitionplayer | cut -c9-) /system/bin top.canyie.transitionplayer.Main'

Then launch an arbitrary app by tapping its icon from the launcher

A notification should be sent from the launcher app, and if you are on Android 14+, a fabricated overlay will be injected into the system, so adb shell cmd overlay lookup android android:integer/config_multiuserMaximumUsers should return 100

Fixes


博客内容遵循 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0) 协议

本文永久链接是:https://blog.canyie.top/2026/07/08/CVE-2026-0091/