CVE-2021-1048
published 2021-12-15CVE-2021-1048: In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with…
PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
1.05%
59.9th percentile
In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204573007References: Upstream kernel
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 5.8.10-1 (bookworm) | linux 5.8.10-1 (bookworm) |
| android | — | — | |
| linux | linux_kernel | >= 0 < 5.8.10-1 | 5.8.10-1 |
| linux | linux_kernel | >= 0 < 5.8.10-1 | 5.8.10-1 |
| linux | linux_kernel | >= 0 < 5.8.10-1 | 5.8.10-1 |
| linux | linux_kernel | >= 0 < 5.8.10-1 | 5.8.10-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for ALIEN injected into the zygote64 process address space; injection into zygote is a key indicator of PREDATOR/ALIEN spyware activity exploiting CVE-2021-1048. ↗
- →Detect the presence of fs.db (an encrypted SQLite3 file) being written or accessed by audioserver, zygote64, or system_server processes, which is anomalous and indicative of PREDATOR spyware activity. ↗
- →Look for interception of ioctl commands by processes such as zygote64, system_server, and installd, which is used by ALIEN/PREDATOR to abuse SELinux context. ↗
- →Detect use of dlsym() to dynamically load and call main_exec() from a downloaded component, which is the ALIEN initialization mechanism for loading PREDATOR. ↗
- →Alert on privilege escalation attempts via code injection into privileged processes (e.g., zygote64, system_server) on Android devices, consistent with CVE-2021-1048 exploitation via the QUAILEGGS method. ↗
- ·The PREDATOR download URL is stored in the ALIEN component configuration; the specific URL is dynamic and not hardcoded in the analyzed samples, making static URL-based detection unreliable. ↗
- ·CVE-2021-1048 patch coverage varied significantly by device: some Google Pixel phones remained vulnerable until March 2021 and Samsung devices until at least October 2021, despite the upstream patch being available in September 2020. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
GHSA
GHSA-r535-rfwp-fm57: In ep_loop_check_proc of eventpoll
ghsa_unreviewed·2021-12-16
CVE-2021-1048 [HIGH] CWE-416 GHSA-r535-rfwp-fm57: In ep_loop_check_proc of eventpoll
In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204573007References: Upstream kernel
OSV
CVE-2021-1048: In ep_loop_check_proc of eventpoll
osv·2021-12-15·CVSS 7.8
CVE-2021-1048 [HIGH] CVE-2021-1048: In ep_loop_check_proc of eventpoll
In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204573007References: Upstream kernel
OSV
CVE-2021-1048: In ep_loop_check_proc of eventpoll
osv·2021-11-01
CVE-2021-1048 CVE-2021-1048: In ep_loop_check_proc of eventpoll
In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
VulnCheck
Android Kernel Use-After-Free Vulnerability
vulncheck·2021·CVSS 7.8
CVE-2021-1048 [HIGH] CWE-416 Android Kernel Use-After-Free Vulnerability
Android Kernel Use-After-Free Vulnerability
Android kernel contains a use-after-free vulnerability that allows for privilege escalation.
Affected: Android Android
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.talosintelligence.com/mercenary-intellexa-predator/; https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors.pdf; https://www.ox.security/wp-content/uploads/2025/05/The-KEV-Illusion-Separating-True-Threats-from-Pretend-Critical-Risks-v4.pdf
Remediation Due: 2022-06-13
Project0
Project Zero RCA: CVE-2021-1048: Android kernel refcount increment on mid-destruction file
project_zero·CVSS 7.8
CVE-2021-1048 [HIGH] Project Zero RCA: CVE-2021-1048: Android kernel refcount increment on mid-destruction file
# CVE-2021-1048: Android kernel refcount increment on mid-destruction file
*Jann Horn*
## The Basics
**NOTE: The original vulnerability was in the Linux kernel, but in-the-wild
exploitation was only seen on Android-based devices, which run Android-specific
kernel forks**
**Disclosure or Patch Date:** it's complicated (but the Android bulletin is from 6 November 2021)
**Product:** Android / Linux kernel
**Advisory:** [ASB 2021-11](https://source.android.com/security/bulletin/2021-11-01#kernel-components_1)
**Affected Versions (upstream Linux):**
- 5.9-rc2 - 5.9-rc3 (mainline: only release candidates affected)
- 5.8.4 - 5.8.7 (short-lived stable branch)
- date range: 2020-08-26 - 2020-09-09
- 5.7.18 and higher (short-lived stable branch, EOL before fix)
- date range: 2020-08-26 - EOL
-
CISA
Android Kernel Use-After-Free Vulnerability
cisa·2022-05-23·CVSS 7.8
CVE-2021-1048 [HIGH] CWE-416 Android Kernel Use-After-Free Vulnerability
Vulnerability: Android Kernel Use-After-Free Vulnerability
Affected: Android Kernel
Android kernel contains a use-after-free vulnerability that allows for privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-1048
Remediation Due Date: 2022-06-13
Android
CVE-2021-1048: Kernel
vendor_android·2021-11-01·CVSS 7.8
CVE-2021-1048 [HIGH] CVE-2021-1048: Kernel
Android Security Bulletin 2021-11-01
CVE: CVE-2021-1048
Severity: HIGH
Type: EoP
Component: Kernel
References: A-204573007
Upstream kernel
Red Hat
kernel: Use After Free in epoll_loop_check_proc() which could result in a local privilege escalation
vendor_redhat·2021-09-02·CVSS 7.8
CVE-2021-1048 [HIGH] CWE-416 kernel: Use After Free in epoll_loop_check_proc() which could result in a local privilege escalation
kernel: Use After Free in epoll_loop_check_proc() which could result in a local privilege escalation
In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204573007References: Upstream kernel
A use-after-free flaw was found in Linux kernel's ep_loop_check_proc in fs/eventpoll.c function in the filesystem. This flaw could allow an attacker to crash the system while polling for a file that is already committed to destruction. This vulnerability could lead to a kernel information leak and a privilege escalation problem.
Mitigation: Mitigation f
Debian
CVE-2021-1048: linux - In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory ...
vendor_debian·2021·CVSS 7.8
CVE-2021-1048 [HIGH] CVE-2021-1048: linux - In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory ...
In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204573007References: Upstream kernel
Scope: local
bookworm: resolved (fixed in 5.8.10-1)
bullseye: resolved (fixed in 5.8.10-1)
forky: resolved (fixed in 5.8.10-1)
sid: resolved (fixed in 5.8.10-1)
trixie: resolved (fixed in 5.8.10-1)
No detection rules found.
No public exploits indexed.
Mandiant
Intellexa’s Prolific Zero-Day Exploits Continue
blogs_mandiant·2025-12-03
Intellexa’s Prolific Zero-Day Exploits Continue
Threat Intelligence
# Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
December 3, 2025
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
### Introduction
Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government. New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving.
Intellexa has adapted, evaded restrictions, and continues selling digital weapons to the highest bidders. Alongside
Mandiant
Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
blogs_mandiant·2025-12-03
Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
## Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
## Introduction
Despite extensive scrutiny and public reporting , commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government . New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving .
Intellexa has adapted, evaded restrictions, and continues selling digital weapons to the highest bidders. Alongside research published by our colleagues from Recorded Future and Amne
Talos
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
blogs_talos·2023-05-25
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
We would like to thank The Citizen Lab for their cooperation, support and inputs into this research.
- Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
- Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant. Our findings include an in-depth walkthrough of the infection chain, including the implants’ various information-stealing capabilities.
- A deep dive into both spyware components indicates that ALIEN is more than just a loader for PREDATOR and acti
Talos
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
blogs_talos·2023-05-25
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
## Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
We would like to thank The Citizen Lab for their cooperation, support and inputs into this research.
Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant. Our findings include an in-depth walkthrough of the infection chain, including the implants’ various information-stealing capabilities.
A deep dive into both spyware component
Bugzilla
CVE-2021-1048 kernel: Use After Free in epoll_loop_check_proc() which could result in a local privilege escalation
bugzilla·2021-12-13·CVSS 7.8
CVE-2021-1048 [HIGH] CVE-2021-1048 kernel: Use After Free in epoll_loop_check_proc() which could result in a local privilege escalation
CVE-2021-1048 kernel: Use After Free in epoll_loop_check_proc() which could result in a local privilege escalation
A use-after-free flaw was found in ep_loop_check_proc in fs/eventpoll.c in the filesystem. This flaw could allow an attacker to crash the system while polling for a file that is already committed to destruction. This vulnerability could lead to a kernel information leak and a privilege escalation problem.
References:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=77f4689de17c0887775bb77896f4cc11a39bf848
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2031929]
---
This was fixed for Fedora with the 5.8.8 stable kernel updates.
2021-12-15
Published
2022-05-23
Added to CISA KEV
Exploited in the wild