{"id":"ASB-A-161812320", "published":"2020-11-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2020-0438", "A-161812320"], "details":"In the AIBinder_Class constructor of ibinder.cpp, there is a possible arbitrary code execution due to uninitialized data. This could lead to local escalation of privilege if a process were using libbinder_ndk in a vulnerable way with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/native", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11-next:0"}, {"fixed":"11-next:2020-11-01"}]}], "versions":["11-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/882340762039c330283736187020f41334b60f05"], "severity":"High", "spl":"2020-11-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["166853182971095957477295542990318855226", "2714496182692667837940115498659040009", "127929062338231145922199514350132922165"], "threshold":0.9}, "id":"ASB-A-161812320-03e75a9b", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/882340762039c330283736187020f41334b60f05", "target":{"file":"libs/binder/ndk/tests/libbinder_ndk_unit_test.cpp"}}, {"deprecated":false, "digest":{"function_hash":"6692660950372729705060540801180559721", "length":1507}, "id":"ASB-A-161812320-17a8061e", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/882340762039c330283736187020f41334b60f05", "target":{"file":"libs/binder/ndk/ibinder.cpp", "function":"ABBinder::onTransact"}}, {"deprecated":false, "digest":{"line_hashes":["13922026013675028407001722743555010547", "237617003093890210114359234712291170391", "219405424050546884940338494511715324280", "119566248312543600779338226999319230832", "182581632736243370490049382777622835574", "236572504900660911225729334021913050525", "301431736978975864467937568986792238562", "218907331790811812538155140498544355941"], "threshold":0.9}, "id":"ASB-A-161812320-1c31474a", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/882340762039c330283736187020f41334b60f05", "target":{"file":"libs/binder/ndk/ibinder_internal.h"}}, {"deprecated":false, "digest":{"function_hash":"24222033419103900466493647316503210414", "length":432}, "id":"ASB-A-161812320-1caada43", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/882340762039c330283736187020f41334b60f05", "target":{"file":"libs/binder/ndk/tests/iface.cpp", "function":"IFoo::addService"}}, {"deprecated":false, "digest":{"line_hashes":["337953460655781670954193138801848487872", "129737973091506341549555497449437046760", "166341565519246474420017384019488169919", "43085590477963808790312978891684483105"], "threshold":0.9}, "id":"ASB-A-161812320-4870102c", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/882340762039c330283736187020f41334b60f05", "target":{"file":"libs/binder/ndk/ibinder.cpp"}}, {"deprecated":false, "digest":{"line_hashes":["166846193524674178006558397101840566531", "190330214196064866872130790560553921089", "126345581594453208055667319110442750718"], "threshold":0.9}, "id":"ASB-A-161812320-732099de", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/882340762039c330283736187020f41334b60f05", "target":{"file":"libs/binder/ndk/tests/include/iface/iface.h"}}, {"deprecated":false, "digest":{"line_hashes":["315785499823683027533714458595445267303", "186193274819663599976554617998107598682", "75193321492464836734796987614755455116", "160750622868819087105985984949384490650", "116552410365698554304017692825057346924", "142696787752292026367259100555575150769", "58627899538112562548751526190996095836", "83498136934319160209930637927120875644", "59564831642801405582725424701065084564"], "threshold":0.9}, "id":"ASB-A-161812320-fd963a39", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/882340762039c330283736187020f41334b60f05", "target":{"file":"libs/binder/ndk/tests/iface.cpp"}}]}}, {"package":{"name":"platform/frameworks/native", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"10:0"}, {"fixed":"10:2020-11-01"}]}], "versions":["10"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/8d49c3fbae160936ac44a1213e53e6cf617ee867"], "severity":"High", "spl":"2020-11-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["13922026013675028407001722743555010547", "237617003093890210114359234712291170391", "219405424050546884940338494511715324280", "119566248312543600779338226999319230832", "187701804535008349201468938291727747670", "105129803371113960669159704341731600041", "220404689486226927036787968493060335824"], "threshold":0.9}, "id":"ASB-A-161812320-3cb98a16", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/8d49c3fbae160936ac44a1213e53e6cf617ee867", "target":{"file":"libs/binder/ndk/ibinder_internal.h"}}, {"deprecated":false, "digest":{"line_hashes":["166846193524674178006558397101840566531", "190330214196064866872130790560553921089", "126345581594453208055667319110442750718"], "threshold":0.9}, "id":"ASB-A-161812320-6dcb8bac", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/8d49c3fbae160936ac44a1213e53e6cf617ee867", "target":{"file":"libs/binder/ndk/test/include/iface/iface.h"}}, {"deprecated":false, "digest":{"line_hashes":["315785499823683027533714458595445267303", "186193274819663599976554617998107598682", "75193321492464836734796987614755455116", "160750622868819087105985984949384490650", "116552410365698554304017692825057346924", "142696787752292026367259100555575150769", "58627899538112562548751526190996095836", "83498136934319160209930637927120875644", "59564831642801405582725424701065084564"], "threshold":0.9}, "id":"ASB-A-161812320-aacb7cfb", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/8d49c3fbae160936ac44a1213e53e6cf617ee867", "target":{"file":"libs/binder/ndk/test/iface.cpp"}}, {"deprecated":false, "digest":{"function_hash":"24222033419103900466493647316503210414", "length":432}, "id":"ASB-A-161812320-bbe0b51f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/8d49c3fbae160936ac44a1213e53e6cf617ee867", "target":{"file":"libs/binder/ndk/test/iface.cpp", "function":"IFoo::addService"}}, {"deprecated":false, "digest":{"line_hashes":["166853182971095957477295542990318855226", "2714496182692667837940115498659040009", "127929062338231145922199514350132922165"], "threshold":0.9}, "id":"ASB-A-161812320-f8281d3d", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/8d49c3fbae160936ac44a1213e53e6cf617ee867", "target":{"file":"libs/binder/ndk/test/main_client.cpp"}}]}}, {"package":{"name":"platform/frameworks/native", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2020-11-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/deb5346761308d9cda3a249283a482a1ce08549e"], "severity":"High", "spl":"2020-11-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"24222033419103900466493647316503210414", "length":432}, "id":"ASB-A-161812320-2ade344f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/deb5346761308d9cda3a249283a482a1ce08549e", "target":{"file":"libs/binder/ndk/test/iface.cpp", "function":"IFoo::addService"}}, {"deprecated":false, "digest":{"line_hashes":["166846193524674178006558397101840566531", "190330214196064866872130790560553921089", "126345581594453208055667319110442750718"], "threshold":0.9}, "id":"ASB-A-161812320-35296a65", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/deb5346761308d9cda3a249283a482a1ce08549e", "target":{"file":"libs/binder/ndk/test/include/iface/iface.h"}}, {"deprecated":false, "digest":{"function_hash":"6692660950372729705060540801180559721", "length":1507}, "id":"ASB-A-161812320-67d3a80b", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/deb5346761308d9cda3a249283a482a1ce08549e", "target":{"file":"libs/binder/ndk/ibinder.cpp", "function":"ABBinder::onTransact"}}, {"deprecated":false, "digest":{"line_hashes":["13922026013675028407001722743555010547", "237617003093890210114359234712291170391", "219405424050546884940338494511715324280", "119566248312543600779338226999319230832", "182581632736243370490049382777622835574", "236572504900660911225729334021913050525", "301431736978975864467937568986792238562", "218907331790811812538155140498544355941"], "threshold":0.9}, "id":"ASB-A-161812320-ad2df558", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/deb5346761308d9cda3a249283a482a1ce08549e", "target":{"file":"libs/binder/ndk/ibinder_internal.h"}}, {"deprecated":false, "digest":{"line_hashes":["337953460655781670954193138801848487872", "129737973091506341549555497449437046760", "166341565519246474420017384019488169919", "43085590477963808790312978891684483105"], "threshold":0.9}, "id":"ASB-A-161812320-b9e2be20", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/deb5346761308d9cda3a249283a482a1ce08549e", "target":{"file":"libs/binder/ndk/ibinder.cpp"}}, {"deprecated":false, "digest":{"line_hashes":["166853182971095957477295542990318855226", "2714496182692667837940115498659040009", "127929062338231145922199514350132922165"], "threshold":0.9}, "id":"ASB-A-161812320-ee0f9107", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/deb5346761308d9cda3a249283a482a1ce08549e", "target":{"file":"libs/binder/ndk/test/libbinder_ndk_unit_test.cpp"}}, {"deprecated":false, "digest":{"line_hashes":["315785499823683027533714458595445267303", "186193274819663599976554617998107598682", "75193321492464836734796987614755455116", "160750622868819087105985984949384490650", "116552410365698554304017692825057346924", "142696787752292026367259100555575150769", "58627899538112562548751526190996095836", "83498136934319160209930637927120875644", "59564831642801405582725424701065084564"], "threshold":0.9}, "id":"ASB-A-161812320-ff6d4ddd", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/deb5346761308d9cda3a249283a482a1ce08549e", "target":{"file":"libs/binder/ndk/test/iface.cpp"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2020-11-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/native/+/10b19f86d9d8bec6f47f31449593711479f336a5"}]}