CVE-2024-43093

HIGH KEV

Java - Privilege Escalation

Title source: llm

Description

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Exploits (1)

inthewild

poc

https://github.com/expl0itsecurity/cve-2024-43093-43047

View on inthewild

References (3)

[Patch] https://android.googlesource.com/platform/frameworks/base/+/7f83c671626f9bf993581f4598c22482d87cba10

[Vendor Advisory] https://source.android.com/security/bulletin/2025-03-01

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-43093

Scores

CVSS v3 7.3

EPSS 0.0018

EPSS Percentile 39.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CISA KEV 2024-11-07

VulnCheck KEV 2024-11-04

InTheWild.io 2024-11-04

ENISA EUVD EUVD-2024-40034

CWE

CWE-176

Status published

Products (5)

google/android 12.0

google/android 12.1

google/android 13.0

google/android 14.0

google/android 15.0

Published Nov 13, 2024

KEV Added Nov 07, 2024

Tracked Since Feb 18, 2026