cbcvebase.
CVE-2021-1048
published 2021-12-15

CVE-2021-1048: In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with…

PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
1.05%
59.9th percentile
In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204573007References: Upstream kernel

Affected

6 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 5.8.10-1 (bookworm)linux 5.8.10-1 (bookworm)
googleandroid
linuxlinux_kernel>= 0 < 5.8.10-15.8.10-1
linuxlinux_kernel>= 0 < 5.8.10-15.8.10-1
linuxlinux_kernel>= 0 < 5.8.10-15.8.10-1
linuxlinux_kernel>= 0 < 5.8.10-15.8.10-1

Detection & IOCsextracted from sources · hover to see the quote

filenamefs.db
filenameloader.py
filenamesqlimper.py
processzygote64
processsystem_server
processinstalld
processaudioserver (alien_voip)
processaudioserver (alien_recorder)
  • Monitor for ALIEN injected into the zygote64 process address space; injection into zygote is a key indicator of PREDATOR/ALIEN spyware activity exploiting CVE-2021-1048.
  • Detect the presence of fs.db (an encrypted SQLite3 file) being written or accessed by audioserver, zygote64, or system_server processes, which is anomalous and indicative of PREDATOR spyware activity.
  • Look for interception of ioctl commands by processes such as zygote64, system_server, and installd, which is used by ALIEN/PREDATOR to abuse SELinux context.
  • Detect use of dlsym() to dynamically load and call main_exec() from a downloaded component, which is the ALIEN initialization mechanism for loading PREDATOR.
  • Alert on privilege escalation attempts via code injection into privileged processes (e.g., zygote64, system_server) on Android devices, consistent with CVE-2021-1048 exploitation via the QUAILEGGS method.
  • ·The PREDATOR download URL is stored in the ALIEN component configuration; the specific URL is dynamic and not hardcoded in the analyzed samples, making static URL-based detection unreliable.
  • ·CVE-2021-1048 patch coverage varied significantly by device: some Google Pixel phones remained vulnerable until March 2021 and Samsung devices until at least October 2021, despite the upstream patch being available in September 2020.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.