CVE-2020-0416

HIGH

Android - Local Privilege Escalation via Tapjacking in Settings Screens

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-0416. PoCs published by Satheesh575555, ShaikUsaf.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2020-0416, targeting Android Open Source Project (AOSP) version 10 r33. The exploit involves modifications to the Settings app, specifically focusing on preference and activity handling components.

Description

In multiple settings screens, there are possible tapjacking attacks due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.0 Android-8.1Android ID: A-155288585

Exploits (2)

nomisec WORKING POC
by Satheesh575555 · poc
https://github.com/Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2020-0416

This repository contains a proof-of-concept exploit for CVE-2020-0416, targeting Android Open Source Project (AOSP) version 10 r33. The exploit involves modifications to the Settings app, specifically focusing on preference and activity handling components.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Android Open Source Project (AOSP) Settings App, version 10 r33
No auth needed
Prerequisites: Access to the target Android device · Ability to install or modify the Settings app
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by ShaikUsaf · poc
https://github.com/ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2020-0416

This repository contains a proof-of-concept exploit for CVE-2020-0416, a vulnerability in Android's Settings app. The exploit involves manipulating intent extras to bypass security restrictions, potentially leading to privilege escalation or unauthorized actions.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Android Open Source Project (AOSP) Settings app, version 10 r33
No auth needed
Prerequisites: Access to the target device · Ability to send malicious intents to the Settings app
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://source.android.com/security/bulletin/2020-10-01

Scores

CVSS v3 8.8
EPSS 0.0120
EPSS Percentile 64.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-1188
Status published
Products (5)
google/android 8.0
google/android 8.1
google/android 9.0
google/android 10.0
google/android 11.0
Published Oct 14, 2020
Tracked Since Feb 18, 2026