CVE-2021-0894

Vulnerability

In the apusys driver of MediaTek chipsets, there is a possible out of bounds write due to a missing bounds check. This vulnerability is identified by CVE-2021-0894 and is rated as Medium severity in the December 2021 MediaTek Product Security Bulletin [1]. Affected chipsets include a wide range of MediaTek smartphone, tablet, and AIoT SoCs such as MT6570, MT6580, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6797, MT6799, MT6833, and others [1]. The vulnerability requires System execution privileges to trigger, and no user interaction is needed [1].

Exploitation

An attacker with existing System execution privileges on an affected device can exploit the missing bounds check in the apusys driver to perform an out-of-bounds write. No user interaction is required, and the attack is local, meaning the attacker must already have elevated access on the system (e.g., through another compromise or as a system-level process) [1].

Impact

Successful exploitation leads to local escalation of privilege. The attacker can write data beyond the intended buffer, potentially overwriting critical memory structures, which may result in gaining even higher privileges or compromising the integrity of the system [1]. The impact is limited to systems already under attacker control with System privileges, but can facilitate further escalation.

Mitigation

MediaTek has released a security patch for this vulnerability, identified as ALPS05672107, and device OEMs have been notified since at least October 2021, two months before the December 2021 bulletin publication [1]. Users should ensure their devices receive the latest firmware updates from their OEMs. No workaround is available without the patch. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.