CVE-2024-43095

High

Published: 21 January 2025

Published

21 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43095 is a high-severity Observable Discrepancy (CWE-203) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the logic error in Android components by requiring timely identification, reporting, and correction of flaws through vendor patches as specified in the Android Security Bulletin.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly countering the logic error that improperly grants any system permission.

AC-6 Least Privilege partial match

prevent

Implements least privilege to restrict low-privilege local attackers from gaining full system control even if partial escalation occurs via the logic flaw.

NVD Description

In multiple locations, there is a possible way to obtain any system permission due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for…

exploitation.

Deeper analysisAI

CVE-2024-43095 is a logic error (CWE-203) present in multiple locations within Android components, enabling attackers to obtain any system permission. This vulnerability allows for local escalation of privilege without requiring additional execution privileges beyond basic local access. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on January 21, 2025.

A local attacker with low privileges (PR:L) can exploit this issue due to its low attack complexity (AC:L). Although the description notes that user interaction is needed for exploitation, the CVSS metrics indicate no user interaction (UI:N). Successful exploitation grants high confidentiality, integrity, and availability impacts, effectively providing full system-level control.

The Android Security Bulletin for January 2025 at https://source.android.com/security/bulletin/2025-01-01 provides details on affected versions and patches to mitigate this vulnerability. Security practitioners should apply the recommended updates promptly to Android devices.

Details

CWE(s): CWE-203

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

CVEs Like This One

CVE-2025-48574Same product: Google Android

CVE-2025-36920Same product: Google Android

CVE-2026-0011Same product: Google Android

CVE-2025-36897Same product: Google Android

CVE-2026-0020Same product: Google Android

CVE-2026-0109Same product: Google Android

CVE-2026-0117Same product: Google Android

CVE-2024-53833Same product: Google Android

CVE-2026-0010Same product: Google Android

CVE-2026-0113Same product: Google Android

References

https://source.android.com/security/bulletin/2025-01-01
Vendor Advisory · security@android.com