CVE-2024-43095

High

Published: 21 January 2025

Published

21 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In multiple locations, there is a possible way to obtain any system permission due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Security Summary

CVE-2024-43095 is a logic error (CWE-203) present in multiple locations within Android components, enabling attackers to obtain any system permission. This vulnerability allows for local escalation of privilege without requiring additional execution privileges beyond basic local access. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on January 21, 2025.

A local attacker with low privileges (PR:L) can exploit this issue due to its low attack complexity (AC:L). Although the description notes that user interaction is needed for exploitation, the CVSS metrics indicate no user interaction (UI:N). Successful exploitation grants high confidentiality, integrity, and availability impacts, effectively providing full system-level control.

The Android Security Bulletin for January 2025 at https://source.android.com/security/bulletin/2025-01-01 provides details on affected versions and patches to mitigate this vulnerability. Security practitioners should apply the recommended updates promptly to Android devices.

Details

CWE(s): CWE-203

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

References

https://source.android.com/security/bulletin/2025-01-01
Vendor Advisory · security@android.com