Multiple vulnerabilities in Google Android
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 19 |
| CVE-ID | CVE-2021-1933 CVE-2021-1974 CVE-2021-30290 CVE-2021-30294 CVE-2021-1886 CVE-2021-1888 CVE-2021-1889 CVE-2021-1890 CVE-2021-1946 CVE-2021-1941 CVE-2021-1909 CVE-2021-1923 CVE-2021-1934 CVE-2021-1935 CVE-2021-1952 CVE-2021-1971 CVE-2021-30295 CVE-2021-1948 CVE-2021-0428 |
| CWE-ID | CWE-129 CWE-126 CWE-476 CWE-822 CWE-415 CWE-119 CWE-120 CWE-704 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Google Android Operating systems & Components / Operating system |
| Vendor |
Security Bulletin
This security bulletin contains information about 19 vulnerabilities.
1) Improper Validation of Array Index
EUVDB-ID: #VU56341
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-1933
CWE-ID:
CWE-129 - Improper Validation of Array Index
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper validation of invite message with SDP body within the Data Modem component. A remote attacker can send specially crafted data to the system, trigger memory corruption and execute arbitrary code on the system.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3 External linkshttps://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer Over-read
EUVDB-ID: #VU56336
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-1974
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to lack of alignment between map or unmap length of IPA SMMU and WLAN SMMU within the WLAN Host Communication component. A remote attacker can send specially crafted data to the system and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) NULL pointer dereference
EUVDB-ID: #VU56349
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-30290
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error caused by race condition between timeline fence signal and time line fence destroy in Graphics subsystem. A local user can perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) NULL pointer dereference
EUVDB-ID: #VU56350
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-30294
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in KGSL GPU auxiliary command within the Graphics subsystem. A local user can perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Untrusted Pointer Dereference
EUVDB-ID: #VU54531
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-1886
CWE-ID:
CWE-822 - Untrusted Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to untrusted pointer dereference within the in Key Management component in HLOS. A malicious application can trigger memory corruption and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Double Free
EUVDB-ID: #VU54532
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-1888
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Trusted Application implementation in HLOS. A malicious application can pass specially crafted data to the system, trigger double free error and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Buffer overflow
EUVDB-ID: #VU54549
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-1889
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error in Trusted Application component in HLOS. A malicious application can trigger memory corruption and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Buffer overflow
EUVDB-ID: #VU54550
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-1890
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error caused by improper length check of public exponent in RSA import key function in HLOS. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) NULL pointer dereference
EUVDB-ID: #VU56342
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-1946
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a NULL pointer dereference error while processing crafted SDP body within the Data Modem component. A remote attacker can send specially crafted data to the system and execute arbitrary code.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Buffer Over-read
EUVDB-ID: #VU56333
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-1941
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper length check on WPA IE string sent by peer within the WLAN Host Communication component. A remote attacker can send specially crafted data to the system and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU56343
Risk: Low
CVSSv4.0: 4.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-1909
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to lack of length check of parameters passed from trusted applications within the Core component. A local application can trigger a buffer overflow and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Type conversion
EUVDB-ID: #VU55524
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-1923
CWE-ID:
CWE-704 - Type conversion
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect pointer argument is passed to trusted application TA in HLOS subsystem. A local user can run a specially crafted program to execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Double Free
EUVDB-ID: #VU56344
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-1934
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists within Digital Rights Management in Content Protection due to improper check when application loader object is explicitly destructed while application is unloading. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) NULL pointer dereference
EUVDB-ID: #VU56345
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-1935
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error during key import in HLOS component. A local user can pass specially crafted data to the system and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Buffer overflow
EUVDB-ID: #VU56346
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-1952
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in Boot subsystem. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Buffer Over-read
EUVDB-ID: #VU56335
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-1971
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to lack of physical layer state validation within the WLAN HAL. A remote attacker can send specially crafted data to the system and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Buffer overflow
EUVDB-ID: #VU56337
Risk: Low
CVSSv4.0: 4.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-30295
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of local variable while storing current task information locally within the DSP Service. A local user can perform a denial of service attack or corrupt files on the system.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Buffer Over-read
EUVDB-ID: #VU56334
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-1948
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to lack of length check of data while parsing the beacon or probe response within the WLAN Host Communication component. A remote attacker can send specially crafted data to the system and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Information disclosure
EUVDB-ID: #VU51917
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-0428
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to unspecified error in System component. A local user can gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: before 8.1 2021-09-05, 9 2021-09-05, 10 2021-09-05, 11 2021-09-05, 8.1 2021-09-05, 8.1 2021-09-05
CPE2.3https://source.android.com/security/bulletin/2021-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
