Out-of-bounds write in Google Android



Published: 2020-08-11 | Updated: 2020-08-30
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-0256
CWE-ID CWE-787
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		Google Android
Operating systems & Components / Operating system

Vendor Google

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Out-of-bounds write

EUVDB-ID: #VU45872

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-0256

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

In LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege when inserting a malicious USB device, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-8.0Android ID: A-152874864

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 8.0 - 10

External links

http://source.android.com/security/bulletin/2020-08-01


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###