CVE-2020-0041

HIGH KEV

Android - Local Privilege Escalation via Binder Transaction Bounds Check

Title source: llm

Exploitation Summary

CVE-2020-0041 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 5 public exploits from researchers including bluefrostsecurity, j4nn, jcalabres.

AI-analyzed exploit summary This repository contains a functional privilege escalation exploit for CVE-2020-0041, targeting Android devices. The exploit disables SELinux and spawns a root shell by leveraging a use-after-free vulnerability in the Binder driver.

Description

In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel

Exploits (5)

nomisec WORKING POC 253 stars

by bluefrostsecurity · local

https://github.com/bluefrostsecurity/CVE-2020-0041

View Code ZIP pw:eip

This repository contains a functional privilege escalation exploit for CVE-2020-0041, targeting Android devices. The exploit disables SELinux and spawns a root shell by leveraging a use-after-free vulnerability in the Binder driver.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Android (Pixel 3 with February 2020 firmware, but adaptable to other vulnerable versions)

No auth needed

Prerequisites: Physical or local access to a vulnerable Android device · Android NDK for compilation · ADB access for deployment

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.003 - Sudo and Sudo Caching

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 58 stars

by j4nn · local

https://github.com/j4nn/CVE-2020-0041

View Code ZIP pw:eip

This repository contains a local privilege escalation (LPE) exploit for CVE-2020-0041, targeting a vulnerability in the Android Binder driver. The exploit leverages memory corruption to escalate privileges, with the code structured to interact with the Binder IPC mechanism.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Android Binder driver (specific versions affected by CVE-2020-0041)

No auth needed

Prerequisites: Access to a vulnerable Android device with the affected Binder driver

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 10 stars

by jcalabres · poc

https://github.com/jcalabres/root-exploit-pixel3

View Code ZIP pw:eip

This is a local privilege escalation exploit for CVE-2020-0041, targeting Pixel 3 devices running specific firmware. It disables SELinux and spawns a root shell by leveraging a use-after-free vulnerability in the Binder driver.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Android (Pixel 3, firmware QQ1A.200205.002)

No auth needed

Prerequisites: Pixel 3 device with vulnerable firmware (QQ1A.200205.002) · Local access to the device

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 5 stars

by vaginessa · local

https://github.com/vaginessa/CVE-2020-0041-Pixel-3a

View Code ZIP pw:eip

This is a local privilege escalation exploit for CVE-2020-0041, targeting Pixel 3a devices. It disables SELinux and spawns a root shell by leveraging a use-after-free vulnerability in the Binder driver.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Android Kernel (Pixel 3a, February 2020 firmware QQ1A.200205.002)

No auth needed

Prerequisites: Physical or ADB access to the target device · Kernel offsets aligned for the specific firmware version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.003 - Sudo and Sudo Caching

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by koharin · poc

https://github.com/koharin/CVE-2020-0041

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2020-0041, targeting a use-after-free vulnerability in the Android Binder driver. The code demonstrates binder operations and memory manipulation to trigger the vulnerability.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Theoretical

Target: Android Binder driver (kernel)

No auth needed

Prerequisites: Access to the target Android device · Kernel with vulnerable Binder driver

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://source.android.com/security/bulletin/2020-03-01

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0041

Scores

CVSS v3 7.8

EPSS 0.0325

EPSS Percentile 86.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-10-28

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-1548

CWE

CWE-20

Status published

Products (1)

google/android

Published Mar 10, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026