CVE-2021-0942Out-of-bounds Read in Google Android

CWE-125Out-of-bounds Read4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 64.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Google Android
Timeline
PublishedSep 13
Latest updateSep 14

Description

The path in this case is a little bit convoluted. The end result is that via an ioctl an untrusted app can control the ui32PageIndex offset in the expression:sPA.uiAddr = page_to_phys(psOSPageArrayData->pagearray[ui32PageIndex]);With the current PoC this crashes as an OOB read. However, given that the OOB read value is ending up as the address field of a struct I think i seems plausible that this could lead to an OOB write if the attacker is able to cause the OOB read to pull an interesting kern

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-74fp-85wq-7rrv: The path in this case is a little bit convoluted2022-09-14
OSV
CVE-2021-0942: The path in this case is a little bit convoluted2022-09-01

📋Vendor Advisories

1
Android
CVE-2021-0942: PowerVR-GPU2022-09-01