CVE-2020-0041
published 2020-03-10CVE-2020-0041: In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege…
PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
3.25%
86.8th percentile
In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 5.4.6-1 (bookworm) | linux 5.4.6-1 (bookworm) |
| android | — | — | |
| linux | linux_kernel | >= 0 < 5.4.6-1 | 5.4.6-1 |
| linux | linux_kernel | >= 0 < 5.4.6-1 | 5.4.6-1 |
| linux | linux_kernel | >= 0 < 5.4.6-1 | 5.4.6-1 |
| linux | linux_kernel | >= 0 < 5.4.6-1 | 5.4.6-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is in binder_transaction() function within binder.c in the Android kernel — monitor for exploitation of the Binder IPC driver leading to out-of-bounds write and local privilege escalation ↗
- →CVE-2020-0041 is observed chained with CVE-2019-2215 and CVE-2020-0069 as part of the 'AbstractEmu' exploit chain — detection logic should correlate exploitation attempts across all three CVEs ↗
- →The exploit chain 'AbstractEmu' targets Android Kernel Binder (CVE-2020-0041), Binder use-after-free (CVE-2019-2215), and MediaTek Command Queue driver ioctl (CVE-2020-0069) — alert on any process achieving kernel-level privilege escalation from userland on Android devices ↗
- ·No additional execution privileges are required and no user interaction is needed for exploitation, lowering the bar for in-the-wild abuse ↗
- ·Scope is local — the attacker must already have code execution on the device (e.g., via a malicious app) before leveraging this kernel OOB write for privilege escalation ↗
- ·Fixed in Linux kernel 5.4.6-1 on Debian; Android patch reference is A-145988638 (upstream kernel fix) — ensure kernel version is at or above the fixed version before considering a host protected ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jwfh-687w-6qp5: In binder_transaction of binder
ghsa_unreviewed·2022-05-24
CVE-2020-0041 [HIGH] CWE-20 GHSA-jwfh-687w-6qp5: In binder_transaction of binder
In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel
OSV
CVE-2020-0041: In binder_transaction of binder
osv·2020-03-10·CVSS 7.8
CVE-2020-0041 [HIGH] CVE-2020-0041: In binder_transaction of binder
In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel
VulnCheck
Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability
vulncheck·2020·CVSS 7.8
CVE-2020-0069 [HIGH] CWE-787 Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability
Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability
Multiple MediaTek chipsets contain an insufficient input validation vulnerability and have missing SELinux restrictions in the Command Queue drivers ioctl handlers. This causes an out-of-bounds write leading to privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0041 under exploit chain "AbstractEmu."
Affected: MediaTek Multiple Chipsets
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.lookout.com/threat-intelligence/article/lookout-discovers-global-rooting-malware-campaign; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/9a931c619e3c; https://vulncheck.com
VulnCheck
Android Kernel Out-of-Bounds Write Vulnerability
vulncheck·2020·CVSS 7.8
CVE-2020-0041 [HIGH] CWE-20 Android Kernel Out-of-Bounds Write Vulnerability
Android Kernel Out-of-Bounds Write Vulnerability
Android Kernel binder_transaction of binder.c contains an out-of-bounds write vulnerability due to an incorrect bounds check that could allow for local privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0069 under exploit chain "AbstractEmu."
Affected: Android Android
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.lookout.com/threat-intelligence/article/lookout-discovers-global-rooting-malware-campaign; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/b8a8ac784158; https://vulncheck.com/xdb/95ece15b5070; https://vulncheck.com/xdb/c2368cc50b93
Remediation Due: 2022-05-03
VulnCheck
Android Kernel Use-After-Free Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-2215 [HIGH] CWE-416 Android Kernel Use-After-Free Vulnerability
Android Kernel Use-After-Free Vulnerability
Android Kernel contains a use-after-free vulnerability in binder.c that allows for privilege escalation from an application to the Linux Kernel. This vulnerability was observed chained with CVE-2020-0041 and CVE-2020-0069 under exploit chain "AbstractEmu."
Affected: Android Android
Required Action: Apply updates per vendor instructions.
Exploitation References: https://bugs.chromium.org/p/project-zero/issues/detail?id=1942#c7; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.trendmicro.com/en_us/research/20/a/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group.html; https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-t
CISA
Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2020-0069 [HIGH] CWE-787 Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability
Vulnerability: Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability
Affected: MediaTek Multiple Chipsets
Multiple MediaTek chipsets contain an insufficient input validation vulnerability and have missing SELinux restrictions in the Command Queue drivers ioctl handlers. This causes an out-of-bounds write leading to privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0041 under exploit chain "AbstractEmu."
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-0069
Remediation Due Date: 2022-05-03
CISA
Android Kernel Out-of-Bounds Write Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2020-0041 [HIGH] CWE-20 Android Kernel Out-of-Bounds Write Vulnerability
Vulnerability: Android Kernel Out-of-Bounds Write Vulnerability
Affected: Android Android Kernel
Android Kernel binder_transaction of binder.c contains an out-of-bounds write vulnerability due to an incorrect bounds check that could allow for local privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0069 under exploit chain "AbstractEmu."
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-0041
Remediation Due Date: 2022-05-03
CISA
Android Kernel Use-After-Free Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2019-2215 [HIGH] CWE-416 Android Kernel Use-After-Free Vulnerability
Vulnerability: Android Kernel Use-After-Free Vulnerability
Affected: Android Android Kernel
Android Kernel contains a use-after-free vulnerability in binder.c that allows for privilege escalation from an application to the Linux Kernel. This vulnerability was observed chained with CVE-2020-0041 and CVE-2020-0069 under exploit chain "AbstractEmu."
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-2215
Remediation Due Date: 2022-05-03
Android
CVE-2020-0041: Binder
vendor_android·2020-03-01·CVSS 7.8
CVE-2020-0041 [HIGH] CVE-2020-0041: Binder
Android Security Bulletin 2020-03-01
CVE: CVE-2020-0041
Severity: HIGH
Type: EoP
Component: Binder
References: A-145988638
Upstream kernel
Debian
CVE-2020-0041: linux - In binder_transaction of binder.c, there is a possible out of bounds write due t...
vendor_debian·2020·CVSS 7.8
CVE-2020-0041 [HIGH] CVE-2020-0041: linux - In binder_transaction of binder.c, there is a possible out of bounds write due t...
In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel
Scope: local
bookworm: resolved (fixed in 5.4.6-1)
bullseye: resolved (fixed in 5.4.6-1)
forky: resolved (fixed in 5.4.6-1)
sid: resolved (fixed in 5.4.6-1)
trixie: resolved (fixed in 5.4.6-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-03-10
Published
2021-11-03
Added to CISA KEV
Exploited in the wild