In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HGoogle Android
OSGoogle12.012.113.014.015.0
CISA KEV — detailsi
- Vendori
- Android
- Producti
- Framework
- Added to KEVi
- November 7, 2024
- Remediation deadline (US Federal)i
- November 28, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Android Framework contains an unspecified vulnerability that allows for privilege escalation.
Related vulnerabilities
Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who ha...
Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application cr...
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...
Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed ...