A bundled library version matches a published CVE in the offline feed.
How it's exploited
A bundled library version matches a published CVE. Exploit writeups for popular mobile libraries circulate quickly, and attackers fingerprint apps by their SDK versions.
Why it matters
You inherit someone else's remote-code-execution or data-leak bug, with your app's permissions and your users' data.
How to fix it
Upgrade the dependency to the fixed version named in the finding's CVE reference.
Add a dependency-review gate in CI (the PTKD build gate can fail on new criticals).
Prune SDKs you no longer use; every dependency is attack surface.