Login Sign Up

CVE-2021-39634

7.8 HIGH

📋 TL;DR

CVE-2021-39634 is a use-after-free vulnerability in the Linux kernel's eventpoll subsystem that allows local attackers to escalate privileges on affected Android devices. The vulnerability requires no user interaction and no additional execution privileges, making it dangerous for unpatched systems. This affects Android devices running vulnerable kernel versions.

💻 Affected Systems

Products:
  • Android
Versions: Android kernel versions before January 2022 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Android devices with vulnerable kernel versions. The vulnerability is in the upstream Linux kernel eventpoll implementation.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root privilege escalation allowing complete device compromise, data theft, and persistence installation.

🟠

Likely Case

Local privilege escalation to root, enabling installation of malware, data access, and system modification.

🟢

If Mitigated

Limited impact if SELinux/AppArmor policies restrict kernel exploitation or if device has minimal local attack surface.

🌐 Internet-Facing: LOW (requires local access, not remotely exploitable)
🏢 Internal Only: HIGH (local attackers can gain root privileges without authentication)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access but no authentication. Kernel exploitation typically requires specific knowledge of memory layout and timing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level 2022-01-01 or later

Vendor Advisory: https://source.android.com/security/bulletin/2022-01-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install January 2022 or later security patch. 3. Reboot device after update completes.

🔧 Temporary Workarounds

Restrict local user access

all

Limit physical access to devices and implement strict user privilege separation

Enable SELinux enforcing mode

linux

Ensure SELinux is in enforcing mode to limit kernel exploitation impact

getenforce
setenforce 1

🧯 If You Can't Patch

  • Isolate vulnerable devices from critical networks and data
  • Implement strict physical security controls and monitor for suspicious local activity

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level: Settings > About phone > Android security patch level. If before 2022-01-01, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level is 2022-01-01 or later. Check kernel version with 'uname -r' and compare with patched versions.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • SELinux/AppArmor denials for privilege escalation attempts
  • Unexpected root process execution

Network Indicators:

  • None (local-only vulnerability)

SIEM Query:

source="android_kernel" AND (event_id="panic" OR severity="critical")

📊 Metadata

CVE ID: CVE-2021-39634
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: January 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39634, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)