A vulnerability classified as critical was found in Google Android 8.0/8.1/9.0/10.0 (Smartphone Operating System). This vulnerability affects the function rw_t2t_handle_tlv_detect_rsp of the file rw_t2t_ndef.cc. The manipulation with an unknown input leads to a out-of-bounds write vulnerability. The CWE definition for the vulnerability is CWE-787. The product writes data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

In rw_t2t_handle_tlv_detect_rsp of rw_t2t_ndef.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over NFC with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-147310271

The weakness was shared 04/17/2020. This vulnerability was named CVE-2020-0072 since 10/17/2019. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are known, but there is no available exploit. The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation calculated on 04/18/2020). It is expected to see the exploit prices for this product increasing in the near future.

Applying a patch is able to eliminate this problem.

The entries 154058, 154057, 154056 and 154055 are related to this item.

Productinfo

Type

• Smartphone Operating System

Vendor

• Google

Name

• Android

Version

• 8.0
• 8.1
• 9.0
• 10.0

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion