HighCISA KEVExploited in the wildPublic exploit

Use-After-Free in Android Kernel eventpoll

IdentifiersCVE-2021-1048CWE-416· Use After Free

CVE-2021-1048 is a use-after-free vulnerability in the Android kernel's eventpoll implementation, specifically in ep_loop_check_proc() in eventpoll.c. The flaw can result in memory corruption after a freed object is reused. The provided context states that Google root-cause analysis associated this issue with the ability to inject code into privileged processes, and that it was exploited in the wild as part of Android exploit chains linked to Cytrox/Intellexa Predator operations. The vulnerability affects Android kernel builds that included the vulnerable eventpoll code and had not yet received the relevant upstream/backported fix.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can corrupt kernel memory and achieve local privilege escalation on Android devices. The context indicates exploitation could enable code injection into privileged processes, allowing an attacker who already has code execution on the device in an unprivileged context to break Android security boundaries and execute with elevated privileges. In observed real-world chains, this privilege escalation was used to support deployment of advanced spyware capabilities.

Mitigation

If you can’t patch tonight, do this now.

Where immediate patching is not possible, reduce exposure by limiting the ability to obtain initial code execution on the device, since this is a local privilege-escalation flaw rather than a standalone remote entry point. Prioritize rapid deployment of browser and application patches used in exploit chains, restrict installation/execution of untrusted code, and use platform hardening, exploit detection, and EDR/mobile threat defense controls to detect post-compromise privilege-escalation behavior. Mitigation is inherently limited without patching because exploitation requires only local code execution and no user interaction.

Remediation

Patch, then assume compromise.

Apply the vendor-provided Android kernel security updates that include the fix for CVE-2021-1048, and ensure OEM backports from the upstream kernel are incorporated into affected device kernels. Because the context notes patch propagation delays across the Android ecosystem, remediation requires confirming that the specific device build and OEM kernel branch include the fix rather than assuming upstream patch availability is sufficient. Devices should be updated to the latest security patch level provided by the platform/vendor.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleAndroidoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

the hacker newsNews

Dec 5, 2025

Intellexa Leaks Reveal Zero-Days and Ads-Based Vector for Predator Spyware Delivery

A use-after-free vulnerability in the Android kernel, exploited by Predator spyware.

talosintelligence otherNews

May 25, 2023

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

A Linux/Android vulnerability assessed to allow code injection into privileged processes and likely used by the QUAILEGGS privilege-escalation method in the ALIEN/PREDATOR spyware chain.

google tag blogNews

May 19, 2022

Protecting Android users from 0-Day attacks

An Android zero-day vulnerability used in campaigns targeting Android users.

chompNews

Jan 3, 2012

Put an io_uring on it - Exploiting the Linux Kernel - chompie at the bits

A Linux kernel vulnerability cited as an example of a vulnerability later exploited in the wild due to issues with patch transparency and backporting.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2021-1048

NVD

nvd.nist.gov/vuln/detail/CVE-2021-1048

MITRE CWE · CWE-416

Use After Free

Patch

source.android.com/security/bulletin/2021-11-01

Third Party Advisory

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-1048