Cyber Resilience

CVE-2024-43093

HighCISA KEVActive ExploitationEUVD Exploited

Published: 13 November 2024

Published
13 November 2024
Modified
23 October 2025
KEV Added
07 November 2024
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.7th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43093 is a high-severity Improper Handling of Unicode Encoding (CWE-176) vulnerability in Google Android. Its CVSS base score is 7.3 (High).

Operationally, ranked at the 33.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

Deeper analysis

CVE-2024-43093 is a vulnerability in Android's ExternalStorageProvider.java within the frameworks/base component, where the shouldHideDocument method fails to correctly apply Unicode normalization when enforcing a file path filter. This flaw allows bypass of restrictions intended to block access to sensitive directories and carries a CVSS 3.1 score of 7.3 under CWE-176.

An attacker with local access and limited privileges can exploit the issue to reach protected paths, achieving escalation to higher privileges. Successful exploitation requires user interaction, such as an action that triggers the affected storage provider logic.

The March 2025 Android security bulletin and the associated AOSP commit provide the official remediation, which updates the normalization handling in ExternalStorageProvider. The vulnerability is also tracked in CISA's Known Exploited Vulnerabilities catalog.

EPSS for the CVE rose from a low baseline to a peak of 0.0197 the day after disclosure before receding, indicating a transient but measurable increase in exploitation interest following public release.

EU & UK References

Vulnerability details

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed.…

more

User interaction is needed for exploitation.

CWE(s)
KEV Date Added
07 November 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
12.0, 12.1, 13.0, 14.0, 15.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References