cbcvebase.
CVE-2021-0396
published 2021-03-10

CVE-2021-0396: In Builtins::Generate_ArgumentsAdaptorTrampoline of builtins-arm.cc and related files, there is a possible out of bounds write due to an incorrect bounds…

PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.93%
77.5th percentile
In Builtins::Generate_ArgumentsAdaptorTrampoline of builtins-arm.cc and related files, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-160610106

Affected

12 ranges
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
iscbind9>= 0 < 1:9.11.3+dfsg-1ubuntu1.171:9.11.3+dfsg-1ubuntu1.17
iscbind9>= 0 < 1:9.16.1-0ubuntu2.101:9.16.1-0ubuntu2.10
platformexternal_v8>= 10:0 < 10:2021-03-0110:2021-03-01
platformexternal_v8>= 11:0 < 11:2021-03-0111:2021-03-01
platformexternal_v8>= 8.1:0 < 8.1:2021-03-018.1:2021-03-01
platformexternal_v8>= 9:0 < 9:2021-03-019:2021-03-01

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in Builtins::Generate_ArgumentsAdaptorTrampoline within builtins-arm.cc and related architecture-specific files; monitor for exploitation attempts targeting this function via JavaScript engine abuse in Android WebView or V8-based components
  • Affected Android versions are 8.1, 9, 10, and 11; prioritize detection and patching on unpatched devices running these versions, particularly those exposed to untrusted content (e.g., browsers, app sandboxes)
  • Classified as Remote Code Execution (RCE) with HIGH severity requiring no user interaction and no additional privileges; treat any anomalous unprivileged process crashes or memory corruption signals on affected Android versions as potential exploitation indicators
  • ·No public proof-of-concept exploit code, hashes, domains, IPs, or network indicators were referenced in the available sources; IOC-based detection is not possible from current documentation alone
  • ·The Android Security Bulletin reference A-160610106 is an internal Android bug tracker ID; full technical details and patch diffs may be available via AOSP Gerrit but were not included in the provided sources, limiting actionable IOC extraction

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.