Cyber Resilience

CVE-2024-43095

High

Published: 21 January 2025

Published
21 January 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 13.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43095 is a high-severity Observable Discrepancy (CWE-203) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-43095 is a logic error (CWE-203) present in multiple locations within Android components, enabling attackers to obtain any system permission. This vulnerability allows for local escalation of privilege without requiring additional execution privileges beyond basic local access. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on January 21, 2025.

A local attacker with low privileges (PR:L) can exploit this issue due to its low attack complexity (AC:L). Although the description notes that user interaction is needed for exploitation, the CVSS metrics indicate no user interaction (UI:N). Successful exploitation grants high confidentiality, integrity, and availability impacts, effectively providing full system-level control.

The Android Security Bulletin for January 2025 at https://source.android.com/security/bulletin/2025-01-01 provides details on affected versions and patches to mitigate this vulnerability. Security practitioners should apply the recommended updates promptly to Android devices.

EU & UK References

Vulnerability details

In multiple locations, there is a possible way to obtain any system permission due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for…

more

exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local logic flaw directly enables privilege escalation to obtain arbitrary system permissions (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56192Same product: Google Android
CVE-2025-48602Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2024-40651Same product: Google Android
CVE-2026-0023Same product: Google Android
CVE-2025-48574Same product: Google Android
CVE-2025-48647Same product: Google Android
CVE-2025-48646Same product: Google Android
CVE-2026-0026Same product: Google Android

Affected Assets

google
android
12.0, 12.1, 13.0, 14.0, 15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the logic error in Android components by requiring timely identification, reporting, and correction of flaws through vendor patches as specified in the Android Security Bulletin.

prevent

Enforces approved authorizations for access to system resources, directly countering the logic error that improperly grants any system permission.

prevent

Implements least privilege to restrict low-privilege local attackers from gaining full system control even if partial escalation occurs via the logic flaw.

References