CVE-2021-1048
Published: 15 December 2021
Summary
CVE-2021-1048 is a high-severity Use After Free (CWE-416) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 23.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Deeper analysis
The vulnerability is a use-after-free flaw in the ep_loop_check_proc function of eventpoll.c within the Android kernel, tracked under Android ID A-204573007 and assigned CWE-416. It affects Android kernel versions and can result in memory corruption. The issue was reported with an upstream kernel reference and carries a CVSS 3.1 base score of 7.8.
A local attacker with existing user privileges on an affected Android device can trigger the flaw without requiring additional execution rights or user interaction, enabling escalation to higher privileges through memory corruption.
The primary advisory reference is the Android security bulletin dated 2021-11-01, which addresses the issue for supported Android kernel versions. The vulnerability is also catalogued by CISA among known exploited vulnerabilities, indicating confirmed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-6515
Vulnerability details
In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:…
more
Android kernelAndroid ID: A-204573007References: Upstream kernel
- CWE(s)
- KEV Date Added
- 23 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements memory protection mechanisms that block use-after-free corruption in kernel structures such as ep_loop_check_proc.
Enforces process isolation boundaries that limit the blast radius of kernel memory corruption to the affected process and prevent escalation.
Restricts privileges assigned to user processes, reducing the ability of a local attacker to leverage the UAF flaw for root-level access.