CVE-2020-0423

HIGH

Android - Use-After-Free in binder_release_work

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-0423. PoCs published by sparrow-labz, wired0ut.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2020-0423, a use-after-free vulnerability in the Android Binder driver. The exploit uses heap spraying and binder transactions to trigger the vulnerability, potentially leading to local privilege escalation.

Description

In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-161151868References: N/A

Exploits (2)

nomisec WORKING POC 5 stars

by sparrow-labz · poc

https://github.com/sparrow-labz/CVE-2020-0423

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2020-0423, a use-after-free vulnerability in the Android Binder driver. The exploit uses heap spraying and binder transactions to trigger the vulnerability, potentially leading to local privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Android Binder driver (Linux kernel)

No auth needed

Prerequisites: Access to the target Android device · Kernel version vulnerable to CVE-2020-0423

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1211 - Exploitation for Defense Evasion

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by wired0ut · poc

https://github.com/wired0ut/CVE-2020-0423

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-0423, a use-after-free (UAF) vulnerability in the Android Binder driver. The exploit demonstrates a race condition between binder_deferred_release and binder_release_work to achieve local privilege escalation (LPE).

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Android Binder driver (Linux kernel)

No auth needed

Prerequisites: Access to /dev/binder · Multi-core CPU for race condition

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 19, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://source.android.com/security/bulletin/2020-10-01

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/12/msg00015.html

Scores

CVSS v3 7.8

EPSS 0.0050

EPSS Percentile 39.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-416 CWE-667

Status published

Products (2)

debian/debian_linux 9.0

google/android

Published Oct 14, 2020

Tracked Since Feb 18, 2026