7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
5.3%
In binder_thread_release of binder.c, there is a possible use after free
due to a race condition. This could lead to local escalation of privilege
with no additional execution privileges needed. User interaction is not
needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-145286050References: Upstream kernel
Author | Note |
---|---|
cascardo | This seems to be like that since binder was added to the kernel, ie., binder would allow the thread to be freed while its wait member was still in the epoll waitqueue. Description was taken from patchβs comment, as it describes the specific race condition that makes this different from CVE-2019-2215. I added the first sentence which would be a fair description of both this CVE and CVE-2019-2215. |
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5eeb2ca02a2f6084fc57ae5c244a38baab07033a
launchpad.net/bugs/cve/CVE-2020-0030
nvd.nist.gov/vuln/detail/CVE-2020-0030
security-tracker.debian.org/tracker/CVE-2020-0030
security-tracker.debian.org/tracker/CVE-2020-0030
www.cve.org/CVERecord?id=CVE-2020-0030
7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
5.3%