Multiple vulnerabilities in Google Android
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 34 |
| CVE-ID | CVE-2021-30319 CVE-2021-30311 CVE-2021-30308 CVE-2021-30307 CVE-2021-30301 CVE-2021-30300 CVE-2021-30287 CVE-2021-30285 CVE-2021-30353 CVE-2021-1049 CVE-2021-0959 CVE-2021-31889 CVE-2021-40148 CVE-2021-31890 CVE-2021-31346 CVE-2021-31345 CVE-2021-39633 CVE-2021-39634 CVE-2020-29368 CVE-2021-39659 CVE-2021-39628 CVE-2021-39620 CVE-2021-39622 CVE-2021-39618 CVE-2021-39623 CVE-2021-0643 CVE-2021-39621 CVE-2021-39630 CVE-2021-39632 CVE-2021-39627 CVE-2021-39629 CVE-2021-39625 CVE-2021-39626 CVE-2020-0338 |
| CWE-ID | CWE-190 CWE-122 CWE-120 CWE-617 CWE-400 CWE-704 CWE-20 CWE-264 CWE-319 CWE-200 CWE-362 CWE-787 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #25 is available. |
| Vulnerable software Subscribe |
Google Android Operating systems & Components / Operating system |
| Vendor |
Security Bulletin
This security bulletin contains information about 34 vulnerabilities.
1) Integer overflow
EUVDB-ID: #VU59185
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30319
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to integer overflow in WLAN HOST component. A malicious application can run a specially crafted WMI command on the system, trigger an integer overflow and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU59184
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30311
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to escalate privileges on the system.
Mitigation
Install update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU59183
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30308
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to a buffer overflow in RFA in the Modem component while printing the HARQ memory partition detail. A malicious application can trigger buffer overflow and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Reachable Assertion
EUVDB-ID: #VU59192
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30307
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of DNS response when DNS client requests with PTR, NAPTR or SRV query type within the Data Modem component. A remote attacker can send a specially crafted response to the device, trigger an assertion failure and perform a denial denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Resource exhaustion
EUVDB-ID: #VU59191
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30301
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to out of memory while processing RRC and NAS OTA message in RFA within the Modem component. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Type conversion
EUVDB-ID: #VU59190
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30300
CWE-ID:
CWE-704 - Type conversion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a type conversion error in LTE within the Modem component, caused by incorrectly decoding hex data for the SIB2 OTA message and assigning a
garbage value to choice when processing the SRS configuration. A remote attacker can pass specially crafted data to the system, trigger a type conversion error and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Reachable Assertion
EUVDB-ID: #VU59189
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30287
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of symbols configured for PDCCH monitoring in NR5G within the Modem component. A remote attacker can send specially crafted data to the system, trigger an assertions failure and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU59188
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30285
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient validation of memory region in Hypervisor in kernel component. A local application can lead execute arbitrary code with kernel privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Reachable Assertion
EUVDB-ID: #VU59194
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-30353
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a improper validation of function pointer type with actual function signature within the Audio component. A remote attacker can pass specially crafted data to the device, trigger assertion failure and perform a denial of service attack.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU59325
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1049
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to read arbitrary files on the system.
The vulnerability exists due to improper permissions in the Unisoc slogmodem. A local application can read arbitrary files on the system.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU59321
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-0959
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to Android runtime does not properly impose memory restrictions. A local application can execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Integer overflow
EUVDB-ID: #VU58089
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-31889
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow. A remote attacker can send a specially crafted TCP packet, trigger integer overflow and cause a denial of service condition on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Cleartext transmission of sensitive information
EUVDB-ID: #VU59324
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-40148
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to Modem EMM uses insecure communication channel to transmit sensitive information. A remote attacker with ability to intercept network traffic can gain access to sensitive data.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Input validation error
EUVDB-ID: #VU58090
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-31890
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the total length of a TCP payload (set in the IP header) is unchecked. A remote attacker can cause a denial of service condition on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Input validation error
EUVDB-ID: #VU58080
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-31346
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the total length of an UDP payload (set in the IP header) is unchecked. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack or gain access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Input validation error
EUVDB-ID: #VU58079
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-31345
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the total length of an UDP payload (set in the IP header) is unchecked. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack or gain access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Information disclosure
EUVDB-ID: #VU59323
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39633
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in OS kernel. A local application can gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Race condition
EUVDB-ID: #VU59322
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39634
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a race condition in the OS kernel. A local application can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Out-of-bounds write
EUVDB-ID: #VU51549
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-29368
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing untrusted input within the __split_huge_pmd() function in mm/huge_memory.c in the Linux kernel. A local user can abuse the copy-on-write implementation and gain unintended write access because of a race condition in a THP mapcount check.
Install update from vendor's website.
Vulnerable software versionsGoogle Android: 9 2021-09-01 - 12 2022-01-01
CPE2.3- cpe:2.3:o:google:android:12:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:11:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:10:2022-01-01:*:*:*:*:*:
- cpe:2.3:o:google:android:9.0:2021-06-05:*:*:*:*:*:
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Improper input validation
EUVDB-ID: #VU74434
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39659
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the System component. A local application can perform a denial of service (DoS) attack.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://android.googlesource.com/platform/packages/services/Telecomm/+/f1cae30e2c9837d1587a3a732bcc9398bd1f9e63
http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Information exposure
EUVDB-ID: #VU74433
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39628
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 11 2022-01-01
CPE2.3http://android.googlesource.com/platform/frameworks/base/+/9be6207510c2e39e2899a9ce7a93fb09f83134c6
http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Improper input validation
EUVDB-ID: #VU74425
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39620
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://android.googlesource.com/platform/frameworks/native/+/f2e0a95700a937e421647623a60c9fc01d6e5d87
http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Improper input validation
EUVDB-ID: #VU74427
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39622
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Improper input validation
EUVDB-ID: #VU74424
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39618
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Improper input validation
EUVDB-ID: #VU74423
Risk: Low
CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2021-39623
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Media Framework component. A local application can execute arbitrary code.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://android.googlesource.com/platform/frameworks/av/+/5753afcd4c87f5566f4014cce1cbc8d767572331
http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
26) Information exposure
EUVDB-ID: #VU74432
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-0643
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://android.googlesource.com/platform/frameworks/opt/telephony/+/f6bb9b20840c29e74a37ea2b880e63b3fc9470ff
http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Improper input validation
EUVDB-ID: #VU74426
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39621
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://android.googlesource.com/platform/packages/apps/Dialer/+/9c452d9f25d8fb41fd3ec627293a2481fde778d4
http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Improper input validation
EUVDB-ID: #VU74421
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39630
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://android.googlesource.com/platform/frameworks/base/+/b2dc041a4e84986e3a6932b127d3a18ef02b6d0a
http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Improper input validation
EUVDB-ID: #VU74422
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39632
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://android.googlesource.com/platform/bootable/recovery/+/f0a760b3a154ad328c682ec8559287befff14945
http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Improper input validation
EUVDB-ID: #VU74430
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39627
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://android.googlesource.com/platform/packages/apps/Dialer/+/9c452d9f25d8fb41fd3ec627293a2481fde778d4
http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Improper input validation
EUVDB-ID: #VU74431
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39629
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://android.googlesource.com/platform/hardware/nxp/nfc/+/63162916491d3ad034e0288fb2e254cf2b66db92
http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Improper input validation
EUVDB-ID: #VU74428
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39625
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Improper input validation
EUVDB-ID: #VU74429
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39626
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
MitigationInstall security update from vendor's website.
Vulnerable software versionsGoogle Android: before 12 2022-01-01
CPE2.3http://android.googlesource.com/platform/packages/apps/Settings/+/3f280c15b1808a94acd3ce2c4145c74e6f183855
http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Information disclosure
EUVDB-ID: #VU47070
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-0338
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the framework component. A local application can gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: before 10 2022-01-01
CPE2.3http://source.android.com/docs/security/bulletin/2022-01-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
