CVE-2024-43093: Google Android Privilege Escalation Flaw

CVE-2024-43093 Overview

CVE-2024-43093 is a high-severity privilege escalation vulnerability in Google Android. The flaw resides in the shouldHideDocument method of ExternalStorageProvider.java. Incorrect Unicode normalization allows attackers to bypass a file path filter that restricts access to sensitive directories on the device. Successful exploitation leads to local escalation of privilege without additional execution privileges, though user interaction is required. The vulnerability affects Android versions 12, 12L, 13, 14, and 15. CISA has added CVE-2024-43093 to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The weakness is classified under [CWE-176] Improper Handling of Unicode Encoding.

Critical Impact

Attackers with local access can bypass Android storage access controls and reach protected directories such as Android/data and Android/obb, leading to local privilege escalation and exposure of sensitive application data.

Affected Products

• Google Android 12 and 12L
• Google Android 13 and 14
• Google Android 15

Discovery Timeline

• 2024-11-13 - CVE-2024-43093 published to the National Vulnerability Database
• 2025-03-01 - Google publishes fix in the Android Security Bulletin
• 2025-10-23 - Last updated in NVD database

Technical Details for CVE-2024-43093

Vulnerability Analysis

The vulnerability exists in Android's ExternalStorageProvider, a system component that mediates access to external storage through the Storage Access Framework. The shouldHideDocument method enforces a path filter intended to block access to protected directories, including Android/data, Android/obb, and Android/sandbox. The filter performs string comparisons against canonical directory names without first applying consistent Unicode normalization. Attackers can craft path strings that contain visually or semantically equivalent Unicode sequences that bypass the filter while still resolving to the protected directories at the file system layer.

Root Cause

The root cause is improper handling of Unicode encoding [CWE-176]. The filter logic compares raw byte or character sequences instead of normalizing input to a canonical form such as NFKC before evaluation. Sequences using combining characters, fullwidth variants, or alternate code points evaluate as different strings during the check but resolve identically when the path is later opened. This mismatch between the filtering layer and the file resolution layer creates the bypass.

Attack Vector

Exploitation requires local access and user interaction, typically through a malicious application installed on the device. The application invokes the Storage Access Framework with crafted document IDs containing non-normalized Unicode sequences. When the user grants access through a system picker, the application gains read or write access to directories that the filter was designed to protect. This exposes private application data belonging to other installed apps and enables local privilege escalation.

No verified public proof-of-concept code is available. See the Android Source Code Commit for the patched normalization logic.

Detection Methods for CVE-2024-43093

Indicators of Compromise

• Installed applications requesting Storage Access Framework permissions for Android/data or Android/obb paths through document URIs containing non-ASCII characters.
• Unexpected file reads or writes within other applications' private external storage directories.
• Applications with low reputation issuing OPEN_DOCUMENT_TREE intents that target system-protected directories.

Detection Strategies

• Monitor mobile devices for installation of applications from outside trusted distribution channels, especially those requesting broad storage access.
• Inspect application manifests and runtime behavior for Storage Access Framework calls that resolve to protected Android directories.
• Correlate device telemetry with the Android security patch level to identify endpoints still running unpatched builds of Android 12 through 15.

Monitoring Recommendations

• Track Android security patch level reporting through mobile device management (MDM) consoles and flag devices below the March 2025 patch level.
• Review application install logs for sideloaded packages on managed devices and quarantine unknown sources.
• Alert on enterprise applications attempting to enumerate or read files within other apps' sandboxed external storage paths.

How to Mitigate CVE-2024-43093

Immediate Actions Required

• Apply the March 2025 Android security patch level or later to all managed devices running Android 12, 12L, 13, 14, or 15.
• Restrict installation of applications from unknown sources through MDM policy on enterprise devices.
• Audit installed applications for unnecessary Storage Access Framework permissions and revoke where possible.
• Prioritize remediation given the inclusion of CVE-2024-43093 in the CISA Known Exploited Vulnerabilities catalog.

Patch Information

Google addressed CVE-2024-43093 in the Android Security Bulletin March 2025. The fix updates ExternalStorageProvider.java to apply consistent Unicode normalization before evaluating paths against the restricted directory filter. The code change is available in the Android Source Code Commit. Device manufacturers integrate the patch into their respective monthly security updates, so verify the patch level reported by each device rather than the Android version alone.

Workarounds

• No vendor-supplied workaround exists. Patching is the only effective remediation.
• Until patches are applied, limit user interaction with untrusted document pickers and prevent installation of sideloaded applications.
• Enroll devices in an MDM solution that enforces minimum security patch levels and blocks high-risk applications.

# Verify Android security patch level via adb
adb shell getprop ro.build.version.security_patch
# Confirm the returned date is 2025-03-01 or later