Vulnerability identifier: #VU61095

Vulnerability risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-39685

CWE-ID: CWE-119

Exploitation vector: Local

Exploit availability: Yes

Vulnerable software:
Google Android
Operating systems & Components / Operating system

Vendor: Google

Description

The vulnerability allows a malicious host to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the USB subsystem in Linux kernel. A malicious USB device can trigger memory corruption and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Google Android: 12 - 12 2022-03-01, 11 - 11 2022-03-01, 10 - 10 2022-03-01

---

External links
http://source.android.com/security/bulletin/2022-03-01#details-05
http://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de
http://android.googlesource.com/kernel/common/+/53afb231f54a69d827b882fa282b30bb10cb08a5
http://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88

---

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.