CVE-2021-0920
published 2021-12-15CVE-2021-0920: In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System…
PriorityP278medium6.4CVSS 3.1
AVLACHPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
0.81%
52.3th percentile
In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References: Upstream kernel
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 5.14.6-1 (bookworm) | linux 5.14.6-1 (bookworm) |
| android | — | — | |
| linux | linux_kernel | <= 5.13 | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.70-1 | 5.10.70-1 |
| linux | linux_kernel | >= 0 < 5.14.6-1 | 5.14.6-1 |
| linux | linux_kernel | >= 0 < 5.14.6-1 | 5.14.6-1 |
| linux | linux_kernel | >= 0 < 5.14.6-1 | 5.14.6-1 |
| linux | linux_kernel | >= 0 < 3.13.0-207.258 | 3.13.0-207.258 |
| linux | linux_kernel | >= 0 < 4.4.0-223.256 | 4.4.0-223.256 |
| paloalto | pan-os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is located in unix_scm_to_skb() within net/unix/af_unix.c — monitor for exploitation attempts targeting Unix domain socket garbage collection (unix_gc()) via race condition between close() and fget() calls ↗
- →Exploitation vector is local privilege escalation; monitor for unexpected privilege changes from non-root local users, particularly those interacting with Unix domain socket file descriptors ↗
- →CVE is listed in CISA KEV (Known Exploited Vulnerabilities catalog), confirming active in-the-wild exploitation — prioritize detection on Android kernel and Linux systems running unpatched kernels (pre-5.14.6 / pre-5.10.70) ↗
- →On Debian/Ubuntu systems, flag hosts running kernel versions older than 5.14.6-1 (bookworm/sid/trixie/forky) or 5.10.70-1 (bullseye) as unpatched and vulnerable ↗
- ·No mitigation is available from Red Hat; patching is the only remediation path ↗
- ·Red Hat Enterprise Linux 9 is listed as Not Affected; detection efforts should focus on RHEL 8 and earlier, Android kernel, Debian, and Ubuntu systems ↗
- ·Kernel ABI change introduced by the fix requires recompilation and reinstallation of all third-party kernel modules after patching ↗
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.4MEDIUM
vulncheck6.4MEDIUM
cisa6.4MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
vendor_ubuntu6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
linux vulnerabilities
osv·2025-08-27·CVSS 6.4
CVE-2021-0920 [MEDIUM] linux vulnerabilities
linux vulnerabilities
It was discovered a race condition existed in the Unix domain socket
implementation in the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-0920)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- HID subsystem;
- Media drivers;
(CVE-2024-50302, CVE-2024-53104)
Project0
The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I) - Project Zero
project_zero·2022-08-01·CVSS 6.4
CVE-2021-0920 [MEDIUM] The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I) - Project Zero
A deep dive into an in-the-wild Android exploit
Guest Post by Xingyu Jin, Android Security Research
This is part one of a two-part guest blog post, where first we'll look at the root cause of the CVE-2021-0920 vulnerability. In the second post, we'll dive into the in-the-wild 0-day exploitation of the vulnerability and post-compromise modules.Overview of in-the-wild CVE-2021-0920 exploits
A surveillance vendor named Wintego has developed an exploit for Linux socket syscall 0-day, CVE-2021-0920, and used it in the wild since at least November 2020 based on the earliest captured sample, until the issue was fixed in November 2021. Combined with Chrome and Samsung browser exploits, the vendor was able to remotely root Samsung devices. The fix was released with the November 2021 Android Se
OSV
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
osv·2022-04-01·CVSS 5.3
CVE-2020-12888 [MEDIUM] linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
It was discovered that the VFIO PCI driver in the Linux kernel did not
properly handle attempts to access disabled memory spaces. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2020-12888)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly verify certain fragmented frames. A physically proximate
attacker could possibly use this issue to inject or decrypt packets.
(CVE-2020-26141)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation
accepted plaintext fragments in certain situations. A physically proximate
attacker could use this issue to inject packets. (CVE-2020-26145)
It was discovered that a race condition existed in the Atheros Ath9k Wi
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
Project0
Racing against the clock -- hitting a tiny kernel race window - Project Zero
project_zero·2022-03-01·CVSS 6.4
CVE-2021-0920 [MEDIUM] Racing against the clock -- hitting a tiny kernel race window - Project Zero
TL;DR:
How to make a tiny kernel race window really large even on kernels without CONFIG_PREEMPT:
- use a cache miss to widen the race window a little bit
- make a timerfd expire in that window (which will run in an interrupt handler - in other words, in hardirq context)
- make sure that the wakeup triggered by the timerfd has to churn through 50000 waitqueue items created by epoll
Racing one thread against a timer also avoids accumulating timing variations from two threads in each race attempt - hence the title. On the other hand, it also means you now have to deal with how hardware timers actually work, which introduces its own flavors of weird timing variations.Introduction
I recently discovered a race condition (https://crbug.com/project-zero/2247) in the Linux kernel. (While
GHSA
GHSA-r93f-j2vf-vmc4: In unix_scm_to_skb of af_unix
ghsa_unreviewed·2021-12-16
CVE-2021-0920 [MEDIUM] CWE-362 GHSA-r93f-j2vf-vmc4: In unix_scm_to_skb of af_unix
In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References: Upstream kernel
OSV
CVE-2021-0920: In unix_scm_to_skb of af_unix
osv·2021-12-15·CVSS 6.4
CVE-2021-0920 [MEDIUM] CVE-2021-0920: In unix_scm_to_skb of af_unix
In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References: Upstream kernel
OSV
CVE-2021-0920: In unix_scm_to_skb of af_unix
osv·2021-11-01
CVE-2021-0920 CVE-2021-0920: In unix_scm_to_skb of af_unix
In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
VulnCheck
Android Kernel Race Condition Vulnerability
vulncheck·2021·CVSS 6.4
CVE-2021-0920 [MEDIUM] CWE-362 Android Kernel Race Condition Vulnerability
Android Kernel Race Condition Vulnerability
Android kernel contains a race condition, which allows for a use-after-free vulnerability. Exploitation can allow for privilege escalation.
Affected: Android Android
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors.pdf; https://www.ox.security/wp-content/uploads/2025/05/The-KEV-Illusion-Separating-True-Threats-from-Pretend-Critical-Risks-v4.pdf
Remediation Due: 2022-06-13
Project0
Project Zero RCA: CVE-2021-0920: Android sk_buff use-after-free in Linux
project_zero·CVSS 6.4
CVE-2021-0920 [MEDIUM] Project Zero RCA: CVE-2021-0920: Android sk_buff use-after-free in Linux
# CVE-2021-0920: Android sk_buff use-after-free in Linux
*Xingyu Jin, Android Security Research*
## The Basics
**Disclosure or Patch Date:** November 5, 2021
**Product:**Google Android
**Advisory:** https://source.android.com/security/bulletin/2021-11-01#kernel-components
**Affected Versions:** Pre-Nov 5 2021 SPL for devices released prior to Nov 2022
**First Patched Version:** 5 Nov 2021 SPL+
**Issue/Bug Report:** A-196926917
**Patch CL:** https://android.googlesource.com/kernel/common/+/cbcf01128d0a92e131bd09f1688fe032480b65ca
**Bug-Introducing CL:** Unknown
**Reporter(s):** Anonymous
## The Code
**Proof-of-concept:** See the appendix
**Exploit sample:** N/A
**Did you have access to the exploit sample when doing the analysis?** Yes
## The Vulnerability
**Bug class:** use-
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2025-08-27·CVSS 6.4
CVE-2021-0920 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered a race condition existed in the Unix domain socket
implementation in the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-0920)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- HID subsystem;
- Media drivers;
(CVE-2024-50302, CVE-2024-53104)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel upd
CISA ICS
Siemens SIMATIC
cisa_ics·2024-03-14
Siemens SIMATIC
ICS Advisory
##
Siemens SIMATIC
Release DateMarch 14, 2024
Alert CodeICSA-24-074-07
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Missing Encryption of Sensitive Data, Incorrect Permission Assignment for Critical Resource, Expected Beha
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-02-14·CVSS 9.8
CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-19911, CVE-2020-0404, CVE-2020-0431, CVE-2020-0466, CVE-2020-10379, CVE-2020-11538, CVE-2020-11608, CVE-2020-12114, CVE-2020-12321, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-13757, CVE-2020-14314, CVE-2020-14351, CVE-2020-15778, CVE-2020-1967, CVE-2020-24394, CVE-2020-24504, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25717, CVE-2020-26541, CVE-2020-2715
CISA
Android Kernel Race Condition Vulnerability
cisa·2022-05-23·CVSS 6.4
CVE-2021-0920 [MEDIUM] CWE-362 Android Kernel Race Condition Vulnerability
Vulnerability: Android Kernel Race Condition Vulnerability
Affected: Android Kernel
Android kernel contains a race condition, which allows for a use-after-free vulnerability. Exploitation can allow for privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-0920
Remediation Due Date: 2022-06-13
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2022-04-01·CVSS 5.3
CVE-2021-42739 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the VFIO PCI driver in the Linux kernel did not
properly handle attempts to access disabled memory spaces. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2020-12888)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly verify certain fragmented frames. A physically proximate
attacker could possibly use this issue to inject or decrypt packets.
(CVE-2020-26141)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation
accepted plaintext fragments in certain situations. A physically proximate
attacker could use this issue to inject packets. (CVE-2020-26145)
It was discovered that a race c
Android
CVE-2021-0920: Kernel
vendor_android·2021-11-01·CVSS 6.4
CVE-2021-0920 [MEDIUM] CVE-2021-0920: Kernel
Android Security Bulletin 2021-11-01
CVE: CVE-2021-0920
Severity: HIGH
Type: EoP
Component: Kernel
References: A-196926917
Upstream kernel
Red Hat
kernel: Use After Free in unix_gc() which could result in a local privilege escalation
vendor_redhat·2021-07-28·CVSS 6.4
CVE-2021-0920 [MEDIUM] CWE-416 kernel: Use After Free in unix_gc() which could result in a local privilege escalation
kernel: Use After Free in unix_gc() which could result in a local privilege escalation
In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References: Upstream kernel
A vulnerability was found in unix_dgram_recvmsg in net/unix/af_unix.c in the Linux kernel's garbage collection for Unix domain socket file handlers. In this flaw, a missing cleanup may lead to a use-after-free due to a race problem. This flaw allows a local user to crash the system or escalate their privileges on the system.
A read-after-free memory flaw was found in the Linux kerne
Debian
CVE-2021-0920: linux - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a...
vendor_debian·2021·CVSS 6.4
CVE-2021-0920 [MEDIUM] CVE-2021-0920: linux - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a...
In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References: Upstream kernel
Scope: local
bookworm: resolved (fixed in 5.14.6-1)
bullseye: resolved (fixed in 5.10.70-1)
forky: resolved (fixed in 5.14.6-1)
sid: resolved (fixed in 5.14.6-1)
trixie: resolved (fixed in 5.14.6-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Use After Free
mitre_cwe
CWE-416 Use After Free
CWE-416: Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Modify Memory. The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere.
Scope: Availability. Impact: DoS: Crash, Exit, or Restart. If chunk consolidation occurs after the use of previously freed data, the process may crash
CWE
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
mitre_cwe
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
A race condition occurs within concurrent environments, and it is effectively a property of a code sequence. Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc. A race condition violates these properties, which are closely related: Exclusivity - the code sequence is given exclusive access to the shared resource, i.e., no other code sequence can modify properties
https://lists.debian.org/debian-lts-announce/2021/12/msg00012.htmlhttps://source.android.com/security/bulletin/2021-11-01https://lists.debian.org/debian-lts-announce/2021/12/msg00012.htmlhttps://source.android.com/security/bulletin/2021-11-01https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-0920
2021-12-15
Published
2022-05-23
Added to CISA KEV
Exploited in the wild