CVE-2020-0022

HIGH

Android 8.0-10 - Remote Code Execution via Bluetooth Packet Fragment Reassembly

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 9 public exploits for CVE-2020-0022. PoCs published by leommxj, Polo35, k3vinlusec.

AI-analyzed exploit summary This PoC exploits CVE-2020-0022, a Bluetooth stack vulnerability in Android, by sending malformed L2CAP packets to trigger a buffer overflow. It demonstrates a DoS condition by crashing the Bluetooth service on vulnerable devices.

Description

In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715

Exploits (9)

nomisec WORKING POC 67 stars
by leommxj · poc
https://github.com/leommxj/cve-2020-0022

This PoC exploits CVE-2020-0022, a Bluetooth stack vulnerability in Android, by sending malformed L2CAP packets to trigger a buffer overflow. It demonstrates a DoS condition by crashing the Bluetooth service on vulnerable devices.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Racy
Target: Android Bluetooth stack (tested on Android 8.1.0 and 9.0)
No auth needed
Prerequisites: Bluetooth-enabled device with HCI/L2CAP access · Physical proximity to target device · Target device with vulnerable Bluetooth stack
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 35 stars
by Polo35 · poc
https://github.com/Polo35/CVE-2020-0022

This repository contains a proof-of-concept exploit for CVE-2020-0022, targeting the Bouygues BBox Miami running Android TV 8.0 on ARM32. The exploit leverages a Bluetooth vulnerability (BlueFrag) to achieve remote code execution via memory corruption and ROP chain techniques.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Bouygues BBox Miami (Android TV 8.0 - ARM32 Cortex A9)
No auth needed
Prerequisites: Bluetooth connection to target device · Python with PyBluez library · Target device running vulnerable Android version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 29 stars
by k3vinlusec · poc
https://github.com/k3vinlusec/Bluefrag_CVE-2020-0022

This repository contains a working proof-of-concept exploit for CVE-2020-0022, a Bluetooth RCE vulnerability affecting Android 8.0 and 9.0. The exploit leverages a memory corruption issue in the Bluetooth stack to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Android 8.0 and 9.0 Bluetooth stack
No auth needed
Prerequisites: Bluetooth enabled on target device · Physical proximity to the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 19 stars
by themmokhtar · poc
https://github.com/themmokhtar/CVE-2020-0022

This repository contains a fully functional exploit for CVE-2020-0022, a Bluetooth zero-click RCE vulnerability affecting Android 8.0-9.0. The exploit is written in C and includes modular components for memory leakage, PC manipulation, and JOP chain execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Android 8.0-9.0 Bluetooth stack
No auth needed
Prerequisites: Bluetooth-enabled Android device (8.0-9.0) · Target MAC address · Proximity for Bluetooth communication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 8 stars
by codecat007 · cpoc
https://github.com/codecat007/cvehub/tree/main/android/CVE-2020-0022

This repository contains a functional proof-of-concept exploit for CVE-2020-0022, a Bluetooth vulnerability in Android. The exploit sends malformed ACL packets to trigger a crash or potential code execution on vulnerable devices.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Racy
Target: Android Bluetooth stack (versions 8.1.0, 9.0)
No auth needed
Prerequisites: Bluetooth-enabled device · Physical proximity to target · Target device with vulnerable Bluetooth stack
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 4 stars
by lsw29475 · poc
https://github.com/lsw29475/CVE-2020-0022

This is a working exploit for CVE-2020-0022, a Bluetooth vulnerability in Android devices. It leverages a heap overflow in the Bluetooth stack to achieve remote code execution (RCE) by leaking memory addresses and crafting malicious packets.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Android Bluetooth stack (affecting multiple versions)
No auth needed
Prerequisites: Bluetooth-enabled Android device with vulnerable stack · Physical proximity for Bluetooth communication · Target MAC address
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by 5k1l · poc
https://github.com/5k1l/cve-2020-0022

This repository contains a proof-of-concept exploit for CVE-2020-0022, a Bluetooth vulnerability in Android. The code includes scripts and C programs to trigger crashes and leaks via malformed L2CAP packets.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Android Bluetooth stack (versions affected by CVE-2020-0022)
No auth needed
Prerequisites: Bluetooth connectivity to target device · Physical proximity or prior pairing
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by kalibb · poc
https://github.com/kalibb/CVE-2020-0022

This repository contains a fully functional exploit for CVE-2020-0022, a Bluetooth zero-click RCE vulnerability affecting Android 8.0-9.0. The exploit is written in C and includes modular components for memory leakage, PC overwrite, and JOP chain execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Android 8.0-9.0 Bluetooth stack
No auth needed
Prerequisites: Target device with Bluetooth enabled · MAC address of the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by devdanqtuan · poc
https://github.com/devdanqtuan/poc-for-cve-2020-0022

This PoC exploits CVE-2020-0022, a Bluetooth stack vulnerability in Android, by sending malformed L2CAP packets to trigger a heap overflow, leading to a DoS or potential RCE. The code establishes a Bluetooth connection and sends crafted packets to crash the target device.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Racy
Target: Android Bluetooth stack (tested on Android 8.1.0, 9.0)
No auth needed
Prerequisites: Bluetooth connectivity to target device · Target device with vulnerable Bluetooth stack
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
https://source.android.com/security/bulletin/2020-02-01
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Feb/10

Scores

CVSS v3 8.8
EPSS 0.0758
EPSS Percentile 92.1%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-682
Status published
Products (25)
google/android 8.0
google/android 8.1
google/android 9.0
google/android 10.0
huawei/honor_8a_firmware < 9.1.0.291\(c185e3r4p1\)
huawei/honor_8x_firmware < 10.0.0.183\(c185e2r6p1\)
huawei/honor_view_20_firmware < 10.0.0.195\(c636e3r4p3\)
huawei/mate_20_firmware < 10.0.0.195\(c00e74r3p8\)
huawei/mate_20_pro_firmware < 10.0.0.196\(c185e7r2p4\)
huawei/mate_20_x_firmware < 10.0.0.195\(c00e74r2p8\)
... and 15 more
Published Feb 13, 2020
Tracked Since Feb 18, 2026