CVE-2024-43769

High

Published: 03 January 2025

Published

03 January 2025

Modified

21 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43769 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the logic error by requiring identification, reporting, and correction of the flaw in PackageManagerService via timely application of the vendor patch.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations in package management to correctly handle device admin checks and prevent improper retention of privileged packages like CloudDpc.

AC-25 Reference Monitor partial match

prevent

Implements a tamper-proof reference monitor that precisely enforces access control policies, addressing failures in the PackageManagerService logic for uninstallation decisions.

NVD Description

In isPackageDeviceAdmin of PackageManagerService.java, there is a possible edge case which could prevent the uninstallation of CloudDpc due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User…

interaction is not needed for exploitation.

Deeper analysisAI

CVE-2024-43769 is a logic error in the isPackageDeviceAdmin function of PackageManagerService.java within the Android Open Source Project's frameworks/base component. This vulnerability introduces an edge case that prevents the uninstallation of the CloudDpc package, enabling local escalation of privilege. No additional execution privileges or user interaction are required for exploitation, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and association to CWE-276 (Incorrect Default Permissions).

A local attacker with low privileges can exploit this issue by triggering the specific edge case in the package administration logic. Successful exploitation prevents the removal of CloudDpc, allowing the attacker to achieve privilege escalation with high impacts on confidentiality, integrity, and availability.

The Android Security Bulletin for December 2024 documents this vulnerability, recommending updates to affected devices. A fix is available in the Android source code via commit 619ffc299bf33566ba6daee8301ee0fc96e015f4.

Details

CWE(s): CWE-276

Affected Products

google

android

13.0, 14.0, 15.0

CVEs Like This One

CVE-2024-49744Same product: Google Android

CVE-2024-49735Same product: Google Android

CVE-2024-43765Same product: Google Android

CVE-2024-53835Same product: Google Android

CVE-2024-49732Same product: Google Android

CVE-2024-49737Same product: Google Android

CVE-2024-34730Same product: Google Android

CVE-2024-53841Same product: Google Android

CVE-2024-53840Same product: Google Android

CVE-2018-9401Same product: Google Android

References

https://android.googlesource.com/platform/frameworks/base/+/619ffc299bf33566ba6daee8301ee0fc96e015f4
Product · security@android.com
https://source.android.com/security/bulletin/2024-12-01
Vendor Advisory · security@android.com