CVE-2024-43093
Published: 13 November 2024
Summary
CVE-2024-43093 is a high-severity Improper Handling of Unicode Encoding (CWE-176) vulnerability in Google Android. Its CVSS base score is 7.3 (High).
Operationally, ranked at the 33.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
Deeper analysis
CVE-2024-43093 is a vulnerability in Android's ExternalStorageProvider.java within the frameworks/base component, where the shouldHideDocument method fails to correctly apply Unicode normalization when enforcing a file path filter. This flaw allows bypass of restrictions intended to block access to sensitive directories and carries a CVSS 3.1 score of 7.3 under CWE-176.
An attacker with local access and limited privileges can exploit the issue to reach protected paths, achieving escalation to higher privileges. Successful exploitation requires user interaction, such as an action that triggers the affected storage provider logic.
The March 2025 Android security bulletin and the associated AOSP commit provide the official remediation, which updates the normalization handling in ExternalStorageProvider. The vulnerability is also tracked in CISA's Known Exploited Vulnerabilities catalog.
EPSS for the CVE rose from a low baseline to a peak of 0.0197 the day after disclosure before receding, indicating a transient but measurable increase in exploitation interest following public release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40034
Vulnerability details
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed.…
more
User interaction is needed for exploitation.
- CWE(s)
- KEV Date Added
- 07 November 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.