cbcvebase.
CVE-2020-0041
published 2020-03-10

CVE-2020-0041: In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege…

PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
3.25%
86.8th percentile
In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel

Affected

6 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 5.4.6-1 (bookworm)linux 5.4.6-1 (bookworm)
googleandroid
linuxlinux_kernel>= 0 < 5.4.6-15.4.6-1
linuxlinux_kernel>= 0 < 5.4.6-15.4.6-1
linuxlinux_kernel>= 0 < 5.4.6-15.4.6-1
linuxlinux_kernel>= 0 < 5.4.6-15.4.6-1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is in binder_transaction() function within binder.c in the Android kernel — monitor for exploitation of the Binder IPC driver leading to out-of-bounds write and local privilege escalation
  • CVE-2020-0041 is observed chained with CVE-2019-2215 and CVE-2020-0069 as part of the 'AbstractEmu' exploit chain — detection logic should correlate exploitation attempts across all three CVEs
  • The exploit chain 'AbstractEmu' targets Android Kernel Binder (CVE-2020-0041), Binder use-after-free (CVE-2019-2215), and MediaTek Command Queue driver ioctl (CVE-2020-0069) — alert on any process achieving kernel-level privilege escalation from userland on Android devices
  • ·No additional execution privileges are required and no user interaction is needed for exploitation, lowering the bar for in-the-wild abuse
  • ·Scope is local — the attacker must already have code execution on the device (e.g., via a malicious app) before leveraging this kernel OOB write for privilege escalation
  • ·Fixed in Linux kernel 5.4.6-1 on Debian; Android patch reference is A-145988638 (upstream kernel fix) — ensure kernel version is at or above the fixed version before considering a host protected

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.