cbcvebase.
CVE-2020-0380
published 2020-09-17

CVE-2020-0380: In allocExcessBits of bitalloc.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no…

PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.82%
84.8th percentile
In allocExcessBits of bitalloc.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-146398979

Affected

11 ranges
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
platformsystem_bt>= 10:0 < 10:2020-09-0110:2020-09-01
platformsystem_bt>= 8.0:0 < 8.0:2020-09-018.0:2020-09-01
platformsystem_bt>= 8.1:0 < 8.1:2020-09-018.1:2020-09-01
platformsystem_bt>= 9:0 < 9:2020-09-019:2020-09-01

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability resides in the `allocExcessBits` function within `bitalloc.c` — monitor for exploitation attempts targeting Android media processing (e.g., malformed audio files triggering out-of-bounds write in the APTX/SBC bit allocation logic)
  • No user interaction required and no additional privileges needed — exploit can be triggered remotely, making network-facing media parsing services (Bluetooth audio, media server) a key detection surface on Android 8.0–11
  • Prioritise detection/patching on Android versions 8.0, 8.1, 9, and 10 as confirmed affected AOSP versions per the September 2020 security bulletin
  • ·CVE is rated CRITICAL with RCE impact and zero interaction/privilege requirements — patch priority should be highest for any internet- or network-exposed Android 8.0–11 devices
  • ·Android 11 is listed as affected in the NVD entry but is NOT listed in the AOSP affected versions in the official bulletin — verify patch applicability per device build

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.