CVE-2024-43765

High

Published: 21 January 2025

Published

21 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In multiple locations, there is a possible way to obtain access to a folder due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.

Security Summary

CVE-2024-43765 is a vulnerability affecting Android that enables access to a folder through a tapjacking/overlay attack in multiple locations. This flaw could result in local escalation of privilege, requiring user execution privileges. It is rated with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H) and maps to CWE-276 (Incorrect Default Permissions). The vulnerability was published on 2025-01-21.

A local attacker possessing low privileges (PR:L) can exploit this issue with low attack complexity to achieve local escalation of privilege. Although the CVSS vector specifies no user interaction (UI:N), the description notes that user interaction is needed for exploitation. Successful exploitation grants high impacts on confidentiality, integrity, and availability.

The Android security bulletin at https://source.android.com/security/bulletin/2025-01-01 details patches and mitigation measures for this vulnerability.

Details

CWE(s): CWE-276

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

References

https://source.android.com/security/bulletin/2025-01-01
Vendor Advisory · security@android.com