Login Sign Up

CVE-2021-39801

7.8 HIGH

📋 TL;DR

CVE-2021-39801 is a use-after-free vulnerability in the Android kernel's ION memory management subsystem. This allows local attackers to escalate privileges without user interaction, potentially gaining root access on affected devices. The vulnerability affects Android devices running vulnerable kernel versions.

💻 Affected Systems

Products:
  • Android devices
Versions: Android kernel versions before the April 2022 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices using the vulnerable ION memory management subsystem in the kernel. Specific device models vary by manufacturer kernel implementations.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges, compromising the entire device, accessing all data, and potentially installing persistent malware.

🟠

Likely Case

Local malware or malicious apps escalate privileges to gain unauthorized access to system resources and sensitive data.

🟢

If Mitigated

With proper kernel hardening and SELinux policies, exploitation may be limited to specific contexts, but root access remains possible.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device.
🏢 Internal Only: HIGH - Any malicious app or user with local access could exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access but no user interaction. Kernel exploitation requires understanding of memory management and race conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level 2022-04-01 or later

Vendor Advisory: https://source.android.com/security/bulletin/2022-04-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install the April 2022 or later security patch. 3. Reboot the device. 4. For custom ROMs or kernels, apply the upstream kernel patch from the Android security bulletin.

🔧 Temporary Workarounds

Disable vulnerable ION functionality

linux

Remove or disable the vulnerable ION memory management subsystem if not required

This requires kernel configuration changes and is device-specific

🧯 If You Can't Patch

  • Restrict installation of untrusted applications from unknown sources
  • Implement strict SELinux policies to limit privilege escalation impact

🔍 How to Verify

Check if Vulnerable:

Check kernel version and security patch level: Settings > About phone > Android version > Security patch level

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level is 2022-04-01 or later in device settings

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • ION subsystem error messages in dmesg
  • Unexpected privilege escalation attempts

Network Indicators:

  • None - this is a local exploit

SIEM Query:

Search for kernel crash logs or privilege escalation patterns in Android device logs

📊 Metadata

CVE ID: CVE-2021-39801
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: April 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39801, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)