In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715
CVE-2020-0022
Score 8.8 from GitHub Security Advisory (severity: HIGH) published 2022-05-24. NVD baseline CVSS 8.8; sources differ by 0.0.
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.8
- EG Score
- 8.8(medium)
- EPSS
- 91.7%
- KEV
- Not listed
Published
February 13, 2020
Last Modified
November 21, 2024
References (8)
- security@androidhttp://packetstormsecurity.com/files/156891/Android-Bluetooth-Remote-Denial-Of-Service.html
- security@androidhttp://seclists.org/fulldisclosure/2020/Feb/10
- security@androidhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200513-03-smartphone-en
- security@androidhttps://source.android.com/security/bulletin/2020-02-01
- af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/156891/Android-Bluetooth-Remote-Denial-Of-Service.html
- af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2020/Feb/10
- af854a3a-2127-422b-91ae-364da2661108http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200513-03-smartphone-en
- af854a3a-2127-422b-91ae-364da2661108https://source.android.com/security/bulletin/2020-02-01
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 8× in last 7d / 45× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:24 UTCEPSS rescore
- 2026-07-09 19:06 UTCEPSS rescore
- 2026-07-08 15:11 UTCEPSS rescore
- 2026-07-07 13:43 UTCEPSS rescore
- 2026-07-06 16:25 UTCEPSS rescore
- 2026-07-06 16:25 UTCEPSS rescore
- 2026-07-06 02:20 UTCEPSS rescore
- 2026-07-05 02:27 UTCEPSS rescore
- 2026-07-04 06:28 UTCEPSS rescore
- 2026-07-01 15:03 UTCEPSS rescore
- 2026-07-01 15:03 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-29 14:04 UTCEPSS rescore
- 2026-06-29 14:04 UTCEPSS rescore
- 2026-06-28 14:05 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
Show 52 moreShow fewer
- 2026-06-22 14:23 UTCEPSS rescore
- 2026-06-22 14:23 UTCEPSS rescore
- 2026-06-21 14:54 UTCEPSS rescore
- 2026-06-21 14:54 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-19 19:23 UTCEPSS rescore
- 2026-06-19 19:23 UTCEPSS rescore
- 2026-06-18 17:50 UTCEPSS rescore
- 2026-06-18 17:50 UTCEPSS rescore
- 2026-06-17 17:50 UTCEPSS rescore
- 2026-06-17 17:50 UTCEPSS rescore
- 2026-06-16 17:50 UTCEPSS rescore
- 2026-06-16 17:50 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-12 23:09 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 07:45 UTCEG score recompute
- 2026-05-27 07:45 UTCGHSA enrichment
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 13:42 UTCEPSS rescore
Publicly available exploits
(6 references)Working exploit code is in the public domain (6 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCthemmokhtar/CVE-2020-0022First seen Aug 28, 2023
A fully public exploit of the CVE-2020-0022 BlueFrag Android RCE Vulnerability (tested on Pixel 3 XL)
Open source ↗ - Open source ↗GitHub PoClsw29475/CVE-2020-0022First seen Feb 24, 2021
- GitHub PoC5k1l/cve-2020-0022First seen Dec 16, 2020
cve-2020-0022相关的一些东西
Open source ↗ - GitHub PoCPolo35/CVE-2020-0022First seen Aug 24, 2020
CVE-2020-0022 vulnerability exploitation on Bouygues BBox Miami (Android TV 8.0 - ARM32 Cortex A9)
Open source ↗ - GitHub PoCk3vinlusec/Bluefrag_CVE-2020-0022First seen Jul 1, 2020
This is a RCE bluetooth vulnerability on Android 8.0 and 9.0
Open source ↗ - GitHub PoCleommxj/cve-2020-0022First seen Feb 15, 2020
poc for cve-2020-0022
Open source ↗
Frequently asked(5)
What is CVE-2020-0022?
When was CVE-2020-0022 disclosed?
Is CVE-2020-0022 actively exploited?
What is the CVSS score of CVE-2020-0022?
How do I remediate CVE-2020-0022?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2020-0022
Is Your Infrastructure Affected by CVE-2020-0022?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.