CVE-2024-43093

CVSS 7.3 HIGHEPSS 0.7%● KEVCWE-176

In short

A file access control in Android's external storage provider can be bypassed using special unicode characters, allowing an attacker to access files they shouldn't be able to reach. An attacker needs to trick a user into interacting with a malicious file or app to exploit this.

Technical detail

CVE-2024-43093 exploits improper unicode normalization in ExternalStorageProvider's shouldHideDocument method (CWE-176), allowing a local attacker to circumvent path-based filtering of sensitive directories. The attack requires user interaction but no elevated privileges, resulting in unauthorized file access and potential privilege escalation.

Summary generated and translated by AI from the official description.

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected products

Google · Android

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://android.googlesource.com/platform/frameworks/base/+/7f83c671626f9bf993581f4598c22482d87cba10 https://source.android.com/security/bulletin/2025-03-01 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-43093