Cyber Resilience

CVE-2020-0041

HighCISA KEVActive ExploitationEUVD Exploited

Published: 10 March 2020

Published
10 March 2020
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2387 96.1th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-0041 is a high-severity Improper Input Validation (CWE-20) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

The vulnerability CVE-2020-0041 is an out of bounds write in the binder_transaction function of binder.c due to an incorrect bounds check. It affects the Android kernel, carries Android ID A-145988638, and is referenced against the upstream kernel. The flaw is assigned CWE-20 and carries a CVSS 3.1 score of 7.8.

A local attacker with existing process privileges can exploit the issue without additional execution rights or user interaction, resulting in escalation of privilege that affects confidentiality, integrity, and availability.

The March 2020 Android security bulletin documents the issue and associated patches, while the CISA known exploited vulnerabilities catalog confirms its presence in real-world attack activity.

EU & UK References

Vulnerability details

In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:…

more

Android kernelAndroid ID: A-145988638References: Upstream kernel

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the root cause—an incorrect bounds check in binder_transaction—by enforcing validation of all input sizes before memory operations.

prevent

Applies memory-protection mechanisms that block or contain the out-of-bounds write primitive used for local privilege escalation.

prevent

Enforces process/kernel isolation boundaries so that a compromised binder transaction cannot freely escalate privileges across security domains.

References