CVE-2024-43093

7.3 HIGH CISA KEV - Actively Exploited

Published: November 13, 2024 Modified: October 23, 2025

Description

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://android.googlesource.com/platform/frameworks/base/+/7f83c671626f9bf993581f4598c22482d87cba10

Source: security@android.com

Patch

https://source.android.com/security/bulletin/2025-03-01

Source: security@android.com

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-43093

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Third Party Advisory US Government Resource

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

7.3 / 10.0

EPSS (Exploit Probability)

0.2%

37th percentile

Exploitation Status

Actively Exploited

Remediation due: 2024-11-28

Weaknesses (CWE)

CWE-176

Affected Vendors

google

Related CVEs

CVE-2025-52691 10.0

CVE-2025-15168 7.3

CVE-2025-15167 7.3

CVE-2025-15166 7.3

CVE-2025-15165 7.3