CVE-2021-39686 — Race Condition in Google Android

CWE-362 — Race Condition CWE-366 — Race Condition within a Thread CWE-269 — Improper Privilege Management7 documents6 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 94.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Debian Linux Google Android

Timeline

PublishedMar 16

Latest updateMar 17

Description

In several functions of binder.c, there is a possible way to represent the wrong domain to SELinux due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-200688826References: Upstream kernel

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages3 packages

▶Debianlinux/linux_kernel< 5.15.15-1+2

▶googlegoogle/android

▶debiandebian/linux< linux 5.15.15-1 (bookworm)

Patches

Patch: source.android.com ↗Patch: source.android.com ↗

🔴Vulnerability Details

GHSA

GHSA-9c4x-gw9f-7x8h: In several functions of binder↗2022-03-17

▶

OSV

CVE-2021-39686: In several functions of binder↗2022-03-16

▶

OSV

CVE-2021-39686: In several functions of binder↗2022-03-01

▶

📋Vendor Advisories

Red Hat

kernel: race condition in the Android binder driver could lead to incorrect security checks↗2022-03-07

▶

Android

CVE-2021-39686: Binder↗2022-03-01

▶

Debian

CVE-2021-39686: linux - In several functions of binder.c, there is a possible way to represent the wrong...↗2021

▶