CVE-2021-0671

Vulnerability

In the MediaTek apusys driver, there is a possible memory corruption due to a missing bounds check. This vulnerability affects multiple MediaTek chipsets (including MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, and others) running on Android or other platforms [1]. The issue requires System execution privileges to trigger, and no user interaction is needed [1].

Exploitation

An attacker with System execution privileges on an affected device can exploit the missing bounds check in the apusys driver to cause memory corruption. No user interaction is required for exploitation [1].

Impact

Successful exploitation leads to local escalation of privilege within the System context, potentially allowing the attacker to gain further access or execute arbitrary code with elevated privileges [1].

Mitigation

MediaTek has released a security patch for this issue (Patch ID: ALPS05664273) as part of the November 2021 Product Security Bulletin [1]. Device OEMs have been notified and are expected to distribute the patch to end users. No workaround is available; applying the vendor-provided update is the recommended mitigation.