Android 11 Security Release Notes

Published August 25, 2020 | Updated November 19, 2021

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 11. Android 11 devices with a security patch level of 2020-09-01 or later are protected against these issues (Android 11, as released on AOSP, will have a default security patch level of 2020-09-01). To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 11 release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

Announcements

  • The issues described in this document are addressed as part of Android 11. This information is provided for reference and transparency.
  • We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

Android and Google Service Mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

Android 11 vulnerability details

The sections below provide details for security vulnerabilities fixed as part of Android 11. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

Android runtime

CVE References Type Severity
CVE-2020-0330 A-150331085 EoP Moderate

Framework

CVE References Type Severity
CVE-2020-0267 A-139128211 EoP Critical
CVE-2020-0275 A-150507736 EoP High
CVE-2020-27098 A-138791358 EoP High
CVE-2020-0337 A-124329382 ID High
CVE-2020-27097 A-140729426 ID High
CVE-2020-0333 A-73822755 RCE Moderate
CVE-2019-13734 A-147323008 EoP Moderate
CVE-2019-13752 A-147320136 EoP Moderate
CVE-2019-13753 A-147320314 EoP Moderate
CVE-2020-0130 A-123230379 EoP Moderate
CVE-2020-0277 A-148627993 EoP Moderate
CVE-2020-0341 A-144920149 EoP Moderate
CVE-2020-0345 A-144286721 EoP Moderate
CVE-2020-0366 A-138443815 EoP Moderate
CVE-2019-13751 A-147322738 ID Moderate
CVE-2020-0288 A-153995991 ID Moderate
CVE-2020-0289 A-153996872 ID Moderate
CVE-2020-0290 A-153996866 ID Moderate
CVE-2020-0293 A-141455849 ID Moderate
CVE-2020-0296 A-153356209 ID Moderate
CVE-2020-0297 A-155183624 ID Moderate
CVE-2020-0308 A-153654357 ID Moderate
CVE-2020-0312 A-153879099 ID Moderate
CVE-2020-0317 A-119671929 ID Moderate
CVE-2020-0343 A-119672472 ID Moderate
CVE-2020-0352 A-132074310 ID Moderate
CVE-2020-0372 A-119673147 ID Moderate

Library

CVE References Type Severity
CVE-2020-0369 A-130231426 EoP Moderate
CVE-2019-8842 A-141551144 ID Moderate
CVE-2020-0322 A-147002540 ID Moderate
CVE-2020-0323 A-146516087 ID Moderate
CVE-2020-0425 A-124000380 ID High
CVE-2020-0426 A-154921790 ID Moderate
CVE-2020-3898 A-111450151 ID Moderate

Media framework

CVE References Type Severity
CVE-2020-0264 A-116718596 RCE Moderate
CVE-2020-0303 A-148223229 RCE Moderate
CVE-2020-0321 A-155171907 RCE Moderate
CVE-2020-0306 A-139666480 EoP Moderate
CVE-2020-0336 A-153467444 EoP Moderate
CVE-2020-0346 A-147002762 EoP Moderate
CVE-2020-0356 A-143787559 EoP Moderate
CVE-2020-0357 A-150225569 EoP Moderate
CVE-2020-0358 A-150227563 EoP Moderate
CVE-2020-0360 A-145129456 EoP Moderate
CVE-2020-0406 A-137794014 EoP Moderate
CVE-2020-0125 A-137282168 ID Moderate
CVE-2020-0270 A-145790628 ID Moderate
CVE-2020-0274 A-120781925 ID Moderate
CVE-2020-0279 A-131430997 ID Moderate
CVE-2020-0314 A-154934920 ID Moderate
CVE-2020-0324 A-136660304 ID Moderate
CVE-2020-0328 A-150156131 ID Moderate
CVE-2020-0329 A-63522940 ID Moderate
CVE-2020-0340 A-144901522 ID Moderate
CVE-2020-0344 A-140729887 ID Moderate
CVE-2020-0355 A-141883493 ID Moderate
CVE-2020-0359 A-150303018 ID Moderate
CVE-2020-0361 A-151927433 ID Moderate
CVE-2020-0364 A-137282770 ID Moderate
CVE-2020-0370 A-112051700 ID Moderate
CVE-2020-0373 A-146894086 ID Moderate
CVE-2020-0287 A-141860394 DoS Moderate
CVE-2020-0301 A-124940460 DoS Moderate
CVE-2020-0320 A-129282427 DoS Moderate
CVE-2020-0332 A-124783982 DoS Moderate
CVE-2020-0351 A-124777537 DoS Moderate
CVE-2020-0353 A-124777526 DoS Moderate
CVE-2020-0362 A-123237930 DoS Moderate
CVE-2020-0363 A-132274514 DoS Moderate

System

CVE References Type Severity
CVE-2020-0266 A-111086459 EoP High
CVE-2020-0374 A-156251602 EoP High
CVE-2020-0375 A-156253476 EoP High
CVE-2020-0318 A-33646131 DoS High
CVE-2020-0354 A-143604331 RCE Moderate
CVE-2019-5094 A-141639890 EoP Moderate
CVE-2020-0089 A-137015603 EoP Moderate
CVE-2020-0262 A-156353008 EoP Moderate
CVE-2020-0268 A-148294643 EoP Moderate
CVE-2020-0271 A-144507081 EoP Moderate
CVE-2020-0273 A-155646800 EoP Moderate
CVE-2020-0298 A-145129266 EoP Moderate
CVE-2020-0299 A-145130119 EoP Moderate
CVE-2020-0309 A-147227320 EoP Moderate
CVE-2020-0319 A-137868765 EoP Moderate
CVE-2020-0326 A-146453119 EoP Moderate
CVE-2020-0334 A-147995915 EoP Moderate
CVE-2020-0335 A-122361504 EoP Moderate
CVE-2020-0347 A-136658008 EoP Moderate
CVE-2020-0350 A-139424089 EoP Moderate
CVE-2020-0405 A-157475111 EoP Moderate
CVE-2021-0846 A-165596375 ID Moderate
CVE-2021-0846 A-165596375 ID Moderate
CVE-2020-0263 A-154913130 ID Moderate
CVE-2020-0265 A-150155839 ID Moderate
CVE-2020-0269 A-151645626 ID Moderate
CVE-2020-0272 A-130166487 ID Moderate
CVE-2020-0276 A-156253586 ID Moderate
CVE-2020-0281 A-137857778 ID Moderate
CVE-2020-0282 A-144506224 ID Moderate
CVE-2020-0284 A-156253784 ID Moderate
CVE-2020-0285 A-156253479 ID Moderate
CVE-2020-0286 A-150214479 ID Moderate
CVE-2020-0291 A-146032016 ID Moderate
CVE-2020-0292 A-110107252 ID Moderate
CVE-2020-0295 A-155650969 ID Moderate
CVE-2020-0300 A-148736216 ID Moderate
CVE-2020-0302 A-151646375 ID Moderate
CVE-2020-0304 A-151645695 ID Moderate
CVE-2020-0307 A-151645867 ID Moderate
CVE-2020-0310 A-153356468 ID Moderate
CVE-2020-0311 A-153878642 ID Moderate
CVE-2020-0313 A-154917989 ID Moderate
CVE-2020-0315 A-155642026 ID Moderate
CVE-2020-0316 A-154934919 ID Moderate
CVE-2020-0325 A-145079309 ID Moderate
CVE-2020-0327 A-129151407 ID Moderate
CVE-2020-0331 A-147309310 ID Moderate
CVE-2020-0348 A-139188582 ID Moderate
CVE-2020-0349 A-139188779 ID Moderate
CVE-2020-0365 A-137346580 DoS Moderate

Common questions and answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

To learn how to check a device's security patch level, see Check and update your Android version.

Android 11, as released on AOSP, has a default security patch level of 2020-09-01. Android devices running Android 11 and with a security patch level of 2020-09-01 or later address all issues contained in these security release notes.

2. What do the entries in the Type column mean?

Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.

Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available

3. What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

Prefix Reference
A- Android bug ID

Versions

Version Date Notes
1.0 August 25, 2020 Security Release Notes published
1.1 December 30, 2020 Updated issue list
1.2 January 27, 2021 Updated issue list
1.3 November 17, 2021 Updated issue list