← back
CVE-2021-0920

CVE-2021-0920

CVSS 6.4 MEDIUMEPSS 0.8%● KEVCWE-416
In short

A race condition in Android's Unix socket implementation allows a local attacker to use memory that has already been freed, potentially gaining system-level privileges without needing to interact with the user.

Technical detail

CVE-2021-0920 is a use-after-free vulnerability (CWE-416) in unix_scm_to_skb() within af_unix.c, triggered by a race condition in concurrent socket operations. Local code execution can exploit this to achieve privilege escalation to system level; no user interaction required.

Summary generated and translated by AI from the official description.
In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References: Upstream kernel
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · Android

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://lists.debian.org/debian-lts-announce/2021/12/msg00012.htmlhttps://source.android.com/security/bulletin/2021-11-01https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-0920