CVE-2020-0401

HIGH

Android - Missing Authorization in PackageManagerService

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-0401. PoCs published by nanopathi, Satheesh575555.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2020-0401, targeting Android's autofill framework. The code demonstrates how an attacker could manipulate autofill behavior to potentially leak sensitive information or cause unexpected behavior in Android applications.

Description

In setInstallerPackageName of PackageManagerService.java, there is a missing permission check. This could lead to local escalation of privilege and granting spurious permissions with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10 Android-11Android ID: A-150857253

Exploits (2)

nomisec WORKING POC

by nanopathi · poc

https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2020-0401

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2020-0401, targeting Android's autofill framework. The code demonstrates how an attacker could manipulate autofill behavior to potentially leak sensitive information or cause unexpected behavior in Android applications.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Android Autofill Framework (AOSP 10)

No auth needed

Prerequisites: Access to an Android device with autofill enabled · Ability to install a malicious autofill service

MITRE ATT&CK

T1119 - Automated Collection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Satheesh575555 · poc

https://github.com/Satheesh575555/frameworks_base_AOSP10_r33_CVE-2020-0401

View Code ZIP pw:eip

This repository contains a proof-of-concept for CVE-2020-0401, an Android autofill vulnerability. The code includes test cases and a custom autofill service to demonstrate the issue.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Android 10 (AOSP r33)

No auth needed

Prerequisites: Android device with autofill functionality

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://source.android.com/security/bulletin/2020-09-01

Scores

CVSS v3 7.8

EPSS 0.0028

EPSS Percentile 19.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-862

Status published

Products (4)

google/android 8.0

google/android 8.1

google/android 9.0

google/android 10.0

Published Sep 17, 2020

Tracked Since Feb 18, 2026