Cyber Resilience

CVE-2021-39793

HighCISA KEVActive ExploitationEUVD Exploited

Published: 16 March 2022

Published
16 March 2022
Modified
23 October 2025
KEV Added
11 April 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.9th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-39793 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 28.9th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an out-of-bounds write in the function kbase_jd_user_buf_pin_pages within mali_kbase_mem.c, caused by a logic error in the code. It affects the Android kernel and is tracked under Android ID A-210470189, with a CVSS 3.1 base score of 7.8 reflecting local attack vector, low complexity, and high impact on confidentiality, integrity, and availability. The underlying weakness is categorized as CWE-787.

A local attacker with no additional execution privileges and without requiring user interaction can exploit the flaw to achieve privilege escalation on the affected system. The issue resides in the Mali kernel driver code path handling user buffer pinning, enabling memory corruption that can be leveraged for elevated access.

The March 2022 Pixel security bulletin addresses the issue through kernel updates for supported Android devices, while CISA lists the CVE in its known exploited vulnerabilities catalog, indicating confirmed real-world exploitation.

EU & UK References

Vulnerability details

In kbase_jd_user_buf_pin_pages of mali_kbase_mem.c, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…

more

exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-210470189References: N/A

CWE(s)
KEV Date Added
11 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the kernel patch that eliminates the out-of-bounds write logic error in mali_kbase_mem.c.

prevent

Implements memory-protection mechanisms that block exploitation of the CWE-787 out-of-bounds write for local privilege escalation.

prevent

Enforces validation of user-supplied buffer parameters passed to kbase_jd_user_buf_pin_pages, mitigating the root logic error.

References