CVE-2024-43093

moderate-risk

Published 2024-11-13

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Do I need to act?

0.18% chance of exploitation

EPSS score — low exploit probability

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.3/10 High

LOCAL / LOW complexity

Affected Products (5)

Android

Affected Vendors

Google

References (3)

Patch https://android.googlesource.com/platform/frameworks/base/+/7f83c671626f9bf99358...

Vendor Advisory https://source.android.com/security/bulletin/2025-03-01

Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-...

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 8/34 · Low

Exposure 12/34 · Low