Login Sign Up

CVE-2021-0303

7.0 HIGH

📋 TL;DR

This CVE describes a use-after-free vulnerability in Android's Car ComputePipe service due to a race condition in dispatchGraphTerminationMessage(). It allows local privilege escalation from user privileges to higher system privileges without requiring user interaction. Only Android 11 devices with the Car ComputePipe service are affected.

💻 Affected Systems

Products:
  • Android
Versions: Android 11 only
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with the Car ComputePipe service (typically automotive or embedded Android devices). Standard consumer Android phones may not be affected.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full system control over the Android device, potentially compromising all user data, installing persistent malware, or using the device as a foothold for further attacks.

🟠

Likely Case

Local attacker escalates privileges to gain access to protected system resources, sensitive data, or install malicious applications with elevated permissions.

🟢

If Mitigated

With proper security controls like SELinux enforcement and minimal privilege applications, impact is limited to the compromised process's context.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device.
🏢 Internal Only: MEDIUM - Malicious apps or users with physical access could exploit this to gain elevated privileges on affected devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires winning a race condition and bypassing Android's security mitigations like ASLR and SELinux.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Patch Level 2021-01-01 or later

Vendor Advisory: https://source.android.com/security/bulletin/2021-01-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > Advanced > System update. 2. Install the January 2021 security patch or later. 3. Reboot the device after installation.

🔧 Temporary Workarounds

Disable Car ComputePipe Service

android

Disable the vulnerable service if not needed (may break automotive functionality)

adb shell pm disable com.android.car.computepipe

🧯 If You Can't Patch

  • Restrict physical access to devices and implement application allowlisting
  • Monitor for suspicious privilege escalation attempts using Android security logging

🔍 How to Verify

Check if Vulnerable:

Check Android version and security patch level: Settings > About phone > Android version and Security patch level

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Security patch level is 2021-01-01 or later and Car ComputePipe service version is updated

📡 Detection & Monitoring

Log Indicators:

  • SELinux denials related to Car ComputePipe service
  • Unexpected privilege escalation attempts in system logs

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

source="android_system" AND (process="computepipe" OR message="use-after-free")

📊 Metadata

CVE ID: CVE-2021-0303
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-362
Published: January 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-0303, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)