cbcvebase.
CVE-2021-0920
published 2021-12-15

CVE-2021-0920: In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System…

PriorityP278medium6.4CVSS 3.1
AVLACHPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
0.81%
52.3th percentile
In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References: Upstream kernel

Affected

12 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianlinux< linux 5.14.6-1 (bookworm)linux 5.14.6-1 (bookworm)
googleandroid
linuxlinux_kernel<= 5.13
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.10.70-15.10.70-1
linuxlinux_kernel>= 0 < 5.14.6-15.14.6-1
linuxlinux_kernel>= 0 < 5.14.6-15.14.6-1
linuxlinux_kernel>= 0 < 5.14.6-15.14.6-1
linuxlinux_kernel>= 0 < 3.13.0-207.2583.13.0-207.258
linuxlinux_kernel>= 0 < 4.4.0-223.2564.4.0-223.256
paloaltopan-os

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is located in unix_scm_to_skb() within net/unix/af_unix.c — monitor for exploitation attempts targeting Unix domain socket garbage collection (unix_gc()) via race condition between close() and fget() calls
  • Exploitation vector is local privilege escalation; monitor for unexpected privilege changes from non-root local users, particularly those interacting with Unix domain socket file descriptors
  • CVE is listed in CISA KEV (Known Exploited Vulnerabilities catalog), confirming active in-the-wild exploitation — prioritize detection on Android kernel and Linux systems running unpatched kernels (pre-5.14.6 / pre-5.10.70)
  • On Debian/Ubuntu systems, flag hosts running kernel versions older than 5.14.6-1 (bookworm/sid/trixie/forky) or 5.10.70-1 (bullseye) as unpatched and vulnerable
  • ·No mitigation is available from Red Hat; patching is the only remediation path
  • ·Red Hat Enterprise Linux 9 is listed as Not Affected; detection efforts should focus on RHEL 8 and earlier, Android kernel, Debian, and Ubuntu systems
  • ·Kernel ABI change introduced by the fix requires recompilation and reinstallation of all third-party kernel modules after patching

CVSS provenance

nvdv3.16.4MEDIUMCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.4MEDIUM
vulncheck6.4MEDIUM
cisa6.4MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
vendor_ubuntu6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.