#VU61095 Buffer overflow in Google Android - CVE-2021-39685
Vulnerability identifier: #VU61095
Vulnerability risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Local
Exploit availability: Yes
Vulnerable software:
Google Android
Operating systems & Components /
Operating system
Vendor: Google
Description
The vulnerability allows a malicious host to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the USB subsystem in Linux kernel. A malicious USB device can trigger memory corruption and execute arbitrary code on the system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Google Android: 10 2020-12-05 - 12
External links
https://source.android.com/security/bulletin/2022-03-01#details-05
https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de
https://android.googlesource.com/kernel/common/+/53afb231f54a69d827b882fa282b30bb10cb08a5
https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
