CVE-2021-0899

Vulnerability

The vulnerability resides in the apusys driver of a wide range of MediaTek chipsets (including MT6570, MT6580, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6797, MT6799, MT6833, and others as listed in the December 2021 Product Security Bulletin [1]). It is a use-after-free condition that can lead to memory corruption. The attacker already requires System execution privileges to reach the vulnerable code path. No user interaction is needed for exploitation. The issue is tracked via Patch ID ALPS05672107 and Issue ID ALPS05672059 [1].

Exploitation

An attacker with System execution privileges can trigger the use-after-free in the apusys driver, causing memory corruption. No additional privileges are needed beyond System-level access, and no user interaction is required. The exact exploitation sequence involves manipulating the freed memory to achieve code execution within the kernel context.

Impact

Successful exploitation leads to local escalation of privilege within the kernel, allowing the attacker to gain higher privileges or execute arbitrary code at the System level. The impact is a compromise of integrity and confidentiality, potentially enabling full control over the affected device.

Mitigation

MediaTek has released security patches for the affected chipsets. The December 2021 Product Security Bulletin indicates that patches were provided to device OEMs at least two months prior to publication [1]. Users should apply updates from their device manufacturers as soon as they are available. No workaround is provided in the bulletin; patching is the only mitigation.