Login Sign Up

CVE-2021-0473

8.8 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a double-free vulnerability in Android's NFC stack that could allow remote code execution without user interaction. An attacker could exploit this by sending malicious NFC data to an affected device, potentially gaining control over it. All Android devices running versions 8.1 through 11 are affected.

💻 Affected Systems

Products:
  • Android
Versions: Android 8.1, 9, 10, 11
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: All devices with NFC capability running affected Android versions are vulnerable by default when NFC is enabled.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full control of device via NFC, installs malware, steals data, or bricks device without user interaction.

🟠

Likely Case

Device crashes or becomes unstable due to memory corruption, potentially leading to denial of service.

🟢

If Mitigated

With NFC disabled or device not in proximity to attacker, no impact occurs.

🌐 Internet-Facing: LOW (requires physical proximity via NFC, not internet-based)
🏢 Internal Only: MEDIUM (requires attacker physical access or NFC relay attack capability)

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires NFC proximity and knowledge of the vulnerability, but no authentication or user interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Patch Level May 2021 or later

Vendor Advisory: https://source.android.com/security/bulletin/2021-05-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > Advanced > System update. 2. Install Android Security Patch Level May 2021 or later. 3. Reboot device after installation.

🔧 Temporary Workarounds

Disable NFC

android

Turn off NFC functionality to prevent exploitation via this vector

Settings > Connected devices > Connection preferences > NFC > Toggle OFF

🧯 If You Can't Patch

  • Disable NFC functionality completely on all affected devices
  • Implement physical security controls to prevent unauthorized NFC devices near corporate devices

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If version is 8.1, 9, 10, or 11, check Security patch level. If before May 2021, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.release && adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android Security Patch Level is May 2021 or later in Settings > About phone > Android security update.

📡 Detection & Monitoring

Log Indicators:

  • NFC service crashes in logcat
  • Memory corruption errors in system logs
  • Unexpected NFC tag processing failures

Network Indicators:

  • N/A (exploitation is local via NFC)

SIEM Query:

N/A (requires physical device logs)

📊 Metadata

CVE ID: CVE-2021-0473
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-908
Published: June 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-0473, you might also want to check these:

CVE-2021-26305 9.8

CVE-2021-26305 is a deserialization vulnerability in the cdr crate for Rust that allows a malicious ...

Same vulnerability type (CWE-908)
CVE-2020-36443 9.8

This vulnerability in libp2p-deflate crate for Rust allows reading uninitialized memory due to passi...

Same vulnerability type (CWE-908)
CVE-2020-36452 9.8

This vulnerability in the array-tools Rust crate allows attackers to cause memory corruption by expl...

Same vulnerability type (CWE-908)