CVE-2024-43765

High

Published: 21 January 2025

Published

21 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43765 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the Android-specific tapjacking vulnerability enabling folder access and local privilege escalation through timely patching as detailed in the security bulletin.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to the vulnerable folder, directly countering the incorrect default permissions (CWE-276) exploited via overlay attacks.

AC-6 Least Privilege partial match

prevent

Limits the impact of local privilege escalation by ensuring only minimal privileges are granted to processes, reducing damage from successful folder access.

NVD Description

In multiple locations, there is a possible way to obtain access to a folder due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.

Deeper analysisAI

CVE-2024-43765 is a vulnerability affecting Android that enables access to a folder through a tapjacking/overlay attack in multiple locations. This flaw could result in local escalation of privilege, requiring user execution privileges. It is rated with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H) and maps to CWE-276 (Incorrect Default Permissions). The vulnerability was published on 2025-01-21.

A local attacker possessing low privileges (PR:L) can exploit this issue with low attack complexity to achieve local escalation of privilege. Although the CVSS vector specifies no user interaction (UI:N), the description notes that user interaction is needed for exploitation. Successful exploitation grants high impacts on confidentiality, integrity, and availability.

The Android security bulletin at https://source.android.com/security/bulletin/2025-01-01 details patches and mitigation measures for this vulnerability.

Details

CWE(s): CWE-276

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

CVEs Like This One

CVE-2024-43769Same product: Google Android

CVE-2024-49744Same product: Google Android

CVE-2024-49735Same product: Google Android

CVE-2024-53835Same product: Google Android

CVE-2024-49732Same product: Google Android

CVE-2024-49737Same product: Google Android

CVE-2024-34730Same product: Google Android

CVE-2024-53841Same product: Google Android

CVE-2024-53840Same product: Google Android

CVE-2018-9401Same product: Google Android

References

https://source.android.com/security/bulletin/2025-01-01
Vendor Advisory · security@android.com