CVE-2021-0901

Vulnerability

In the apusys driver on MediaTek chipsets, a missing bounds check can lead to memory corruption. This vulnerability affects devices using MediaTek chipsets that include the apusys component. The issue is identified by Patch ID ALPS05672107 and Issue ID ALPS05664618. The exact affected chipset list is not detailed in the available reference, but the vulnerability is classified as Medium severity in the December 2021 MediaTek Product Security Bulletin [1].

Exploitation

An attacker must already have System execution privileges on the device to exploit this vulnerability. No user interaction is required. The exploitation involves triggering the missing bounds check, which causes memory corruption within the apusys driver.

Impact

Successful exploitation leads to local escalation of privilege. The memory corruption can allow the attacker to gain higher privileges, potentially achieving arbitrary code execution in the kernel context.

Mitigation

MediaTek released a security patch in the December 2021 Product Security Bulletin [1]. Device OEMs have been notified and are expected to distribute the patch to end users. Users should apply the latest security updates from their device manufacturer.