CVE-2020-0150 – This CVE describes an out-of-bounds write vulne... (How to Fix)

Q: What is the severity of CVE-2020-0150?

CVE-2020-0150 has a CVSS score of 7.8 (HIGH). This CVE describes an out-of-bounds write vulnerability in Android's NFC stack that could allow local privilege escalation without user interaction. Attackers could exploit this to gain elevated system privileges on affected Android devices. Only Android 10 devices are affected.

📋 TL;DR

This CVE describes an out-of-bounds write vulnerability in Android's NFC stack that could allow local privilege escalation without user interaction. Attackers could exploit this to gain elevated system privileges on affected Android devices. Only Android 10 devices are affected.

💻 Affected Systems

Products:

Android

Versions: Android 10 only

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with NFC hardware and Android 10. Pixel devices specifically mentioned in bulletins.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to execute arbitrary code with system privileges, install persistent malware, or access sensitive data.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass application sandboxing and gain elevated permissions on the device.

🟢

If Mitigated

Minimal impact if patched; unpatched devices remain vulnerable to local attacks.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring physical or network proximity to the device.

🏢 Internal Only: HIGH - Malicious apps or users with local access could exploit this to escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access but no user interaction. Exploitation involves NFC stack manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Patch Level 2020-06-01 or later

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2020-06-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > Advanced > System update. 2. Install Android Security Patch Level 2020-06-01 or later. 3. Reboot device after installation.

🔧 Temporary Workarounds

Disable NFC

android

Temporarily disable NFC functionality to prevent exploitation

Settings > Connected devices > Connection preferences > NFC > Toggle OFF

🧯 If You Can't Patch

Disable NFC functionality completely
Restrict physical access to devices and monitor for suspicious NFC activity

🔍 How to Verify

Check if Vulnerable:

Check Android version: Settings > About phone > Android version. If version is 10 and security patch level is before 2020-06-01, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.release && adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android Security Patch Level is 2020-06-01 or later: Settings > About phone > Android security patch level.

📡 Detection & Monitoring

Log Indicators:

Unusual NFC stack errors or crashes in system logs
Suspicious privilege escalation attempts

Network Indicators:

Unexpected NFC communication patterns

SIEM Query:

source="android_system" AND ("rw_t3t" OR "NFC" OR "privilege escalation")

📊 Metadata

CVE ID: CVE-2020-0150

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 11, 2020

Last Updated: November 21, 2024

🔗 References

https://source.android.com/security/bulletin/pixel/2020-06-01 Patch,Vendor Advisory
https://source.android.com/security/bulletin/pixel/2020-06-01 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-0150, you might also want to check these: