{"id":"ASB-A-146398979","details":"In allocExcessBits of bitalloc.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-146398979","CVE-2020-0380"],"modified":"2026-04-27T15:40:08.012512Z","published":"2020-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2020-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab"}],"affected":[{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"8.0:0"},{"fixed":"8.0:2020-09-01"}]}],"versions":["8.0"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"function_hash":"321234905431845260252678837018518904275","length":2528},"signature_version":"v1","source":"https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab","target":{"function":"OI_CODEC_SBC_DecodeFrame","file":"embdrv/sbc/decoder/srce/decoder-sbc.c"},"signature_type":"Function","id":"ASB-A-146398979-1312805f","deprecated":false},{"digest":{"line_hashes":["299122073098996808654107516758968955565","286252558384371725332049297140246791036","28851737143717057705984729275717971822","166728063500436628648921626767346014890","213579653298428298585614861308521870936","295351673693555017889999086667776480352","114546012834183047704107748653278505547","222828746183569043499428306079904321165"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab","target":{"file":"embdrv/sbc/decoder/srce/decoder-sbc.c"},"signature_type":"Line","id":"ASB-A-146398979-8488f02c","deprecated":false}],"spl":"2020-09-01","types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-146398979.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"8.1:0"},{"fixed":"8.1:2020-09-01"}]}],"versions":["8.1"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"line_hashes":["299122073098996808654107516758968955565","286252558384371725332049297140246791036","28851737143717057705984729275717971822","166728063500436628648921626767346014890","213579653298428298585614861308521870936","295351673693555017889999086667776480352","114546012834183047704107748653278505547","222828746183569043499428306079904321165"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab","target":{"file":"embdrv/sbc/decoder/srce/decoder-sbc.c"},"signature_type":"Line","id":"ASB-A-146398979-58d34f5f","deprecated":false},{"digest":{"function_hash":"321234905431845260252678837018518904275","length":2528},"signature_version":"v1","source":"https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab","target":{"function":"OI_CODEC_SBC_DecodeFrame","file":"embdrv/sbc/decoder/srce/decoder-sbc.c"},"signature_type":"Function","id":"ASB-A-146398979-c8cb7457","deprecated":false}],"spl":"2020-09-01","types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-146398979.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"9:0"},{"fixed":"9:2020-09-01"}]}],"versions":["9"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"line_hashes":["299122073098996808654107516758968955565","286252558384371725332049297140246791036","28851737143717057705984729275717971822","166728063500436628648921626767346014890","213579653298428298585614861308521870936","295351673693555017889999086667776480352","114546012834183047704107748653278505547","222828746183569043499428306079904321165"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab","target":{"file":"embdrv/sbc/decoder/srce/decoder-sbc.c"},"signature_type":"Line","id":"ASB-A-146398979-010c7a18","deprecated":false},{"digest":{"function_hash":"321234905431845260252678837018518904275","length":2528},"signature_version":"v1","source":"https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab","target":{"function":"OI_CODEC_SBC_DecodeFrame","file":"embdrv/sbc/decoder/srce/decoder-sbc.c"},"signature_type":"Function","id":"ASB-A-146398979-aed33ebd","deprecated":false}],"spl":"2020-09-01","types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-146398979.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2020-09-01"}]}],"versions":["10"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"function_hash":"321234905431845260252678837018518904275","length":2528},"signature_version":"v1","source":"https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab","target":{"function":"OI_CODEC_SBC_DecodeFrame","file":"embdrv/sbc/decoder/srce/decoder-sbc.c"},"signature_type":"Function","id":"ASB-A-146398979-091a7817","deprecated":false},{"digest":{"line_hashes":["299122073098996808654107516758968955565","286252558384371725332049297140246791036","28851737143717057705984729275717971822","166728063500436628648921626767346014890","213579653298428298585614861308521870936","295351673693555017889999086667776480352","114546012834183047704107748653278505547","222828746183569043499428306079904321165"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab","target":{"file":"embdrv/sbc/decoder/srce/decoder-sbc.c"},"signature_type":"Line","id":"ASB-A-146398979-81da0fd3","deprecated":false}],"spl":"2020-09-01","types":["RCE"],"fixes":["https://android.googlesource.com/platform/system/bt/+/59c234a8fddda37147bb3fe1dd3b3a668828bcab"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-146398979.json"}}],"schema_version":"1.7.5"}