Tracked as CVE-2020-11261, the zero-day vulnerability had affected Android devices using Qualcomm chipsets, and from the data that Google provided, the threat actors are actively exploiting the vulnerability in the wild.

The CVE-2020-11261 flaw represents an improper input validation in Graphics, which was rated with a CVSS score of 8.4, which is pretty high.

Memory corruption due to improper check to return an error when user application requests memory allocation of a huge size.

Source

The vulnerability could’ve been exploited through an attacker-engineered app that requests access to a huge portion of the device’s memory.

There are indications that CVE-2020-11261 may be under limited, targeted exploitation.

Source

The vulnerability in question, tracked as CVE-2020-11261, was patched by Google with the Android security updates released in January 2021.

The vulnerability is a high-severity improper input validation issue affecting a display/graphics component from Qualcomm. The flaw was reported to Qualcomm through Google in July 2020 and it affects a long list of chips.

Source

The CVE-2020-11261 flaw was reported to Qualcomm by Google’s Android Security team on August 20, 2020, and was addressed in January 2021.

The issue was then rated as high severity because it requires local access to be exploited, this means that attackers need physical access to the vulnerable device.

Google has given credit to security researcher Man Yue Mo for reporting the vulnerability. The researcher earned significant bug bounties from Google over the past few years for finding and reporting potentially serious Chrome bugs.

Google disclosed last week that a sophisticated threat actor had used at least 11 zero-day vulnerabilities as part of a huge spying campaign. The APT hacker group leveraged watering hole attacks in order to deliver malware to Windows, Android, and iOS devices, but for the time being it’s unclear if the CVE-2020-11261 has been exploited by this group.

cover photo for heimdal security news
2021.03.22 QUICK READ

11 Zero-Day Flaws Exploited in 2020 Campaigns, Google Reports

Heimdal Featured Image
2021.03.17 QUICK READ

Google Is Announcing Another Chrome Zero-Day Flaw

android permissions - concept image
2020.10.16 INTERMEDIATE READ

Android Permissions Can Be Dangerous: Full Guide to Managing Them

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP