CVE-2021-0920

What is Unix Socket Garbage Collection in the Android Kernel?

Android's Linux kernel includes a garbage collector (unix_gc) for Unix domain sockets — a mechanism for collecting and freeing socket file descriptors that have become unreachable through circular reference cycles. The garbage collector runs during socket destruction and manipulates socket reference counts to determine which sockets can be safely freed. Race conditions in this code arise when concurrent operations (such as another process simultaneously accessing a socket being collected) create a time-of-check-to-time-of-use (TOCTOU) window — allowing one thread to operate on a socket that another thread has already freed. The resulting use-after-free provides a kernel memory corruption primitive that, with sufficient privileges (PR:H) and complexity (AC:H), can be exploited for kernel privilege escalation.

Overview

CVE-2021-0920 is a race condition vulnerability (CWE-362) in the Linux kernel's Unix domain socket garbage collector (unix_gc) that, when exploited, leads to a use-after-free condition enabling privilege escalation to root. The CVSS profile (AV:L/AC:H/PR:H) reflects the complexity of exploitation: it requires local code execution with high privileges and high attack complexity (precise timing for the race condition). Despite these requirements, it was used in targeted surveillance attack chains — typically as the kernel escalation stage following initial device compromise via a browser or messaging exploit. Android patches for CVE-2021-0920 were included in the December 2021 Security Bulletin. CISA added it to KEV in May 2022.

Affected Versions

Technical Details

• Root cause: Race condition (CWE-362) in the unix_gc() garbage collection function for Unix domain sockets — the garbage collector and concurrent socket operations race on the same socket object; under the right timing, a socket freed by garbage collection is subsequently accessed by another code path, creating a use-after-free condition
• Use-after-free primitive: The race condition produces a kernel UAF — a freed socket object is accessed again, and by controlling what occupies the freed memory (through kernel heap manipulation), the attacker achieves type confusion with a different kernel object, enabling controlled kernel memory read/write
• PR:H requirement: The AC:H/PR:H profile indicates this vulnerability is not trivially exploitable from a low-privilege context; exploitation requires an attacker who has already obtained significant privileges or is operating in a specific execution context (such as a highly privileged service or a process with specific capabilities)
• Kernel escalation in exploit chains: CVE-2021-0920 fits the pattern of kernel LPE vulnerabilities used as stage 2 in mobile exploit chains: stage 1 (browser or messaging zero-day) achieves sandboxed code execution → stage 2 (CVE-2021-0920 kernel UAF) achieves root by escaping the sandbox and escalating to kernel privilege
• Commercial surveillance spyware relevance: The May 2022 CISA KEV addition and the "limited targeted attacks" pattern consistent with this CVSS profile suggests use in commercial surveillance spyware deployment chains — consistent with the pattern of 0-days maintained by NSO Group, Cytrox, and similar vendors for mobile device compromise

Discovery

Identified and patched in Android's December 2021 Security Bulletin as part of routine kernel security maintenance. The May 2022 CISA KEV addition reflects confirmed exploitation in targeted attacks — the five-month gap between patch and KEV addition being consistent with the timeframe for attribution and forensic confirmation of exploitation in high-priority surveillance investigations.

Exploitation Context

Android kernel vulnerabilities with the exploitation profile of CVE-2021-0920 are primarily used in sophisticated surveillance operations — the high complexity and privilege requirements make mass exploitation impractical, but do not prevent targeted use by actors with the technical sophistication to develop working exploits (nation-state intelligence agencies, commercial surveillance vendors). The kernel UAF chain for Android root is the core of mobile surveillance chains where the goal is persistent, invisible access to device data (contacts, messages, location, calls). CISA's KEV inclusion reflects that federal government Android devices were considered at risk from this vulnerability through active targeted surveillance campaigns.

Remediation

1. Apply Android December 2021 Security Bulletin updates — the patch for CVE-2021-0920 is included in the 2021-12-05 and 2021-12-06 security patch levels
2. Update Android to the latest available version for the device — verify the security patch level in Settings → About Phone → Android Security Update
3. Enable automatic security updates on Android devices where available
4. For enterprises managing Android devices: deploy device patch level enforcement via MDM (Mobile Device Management) — require minimum security patch level for corporate access
5. For high-risk individuals (journalists, executives, government officials): consider using Android devices with rapid patch delivery (Google Pixel, which receives monthly security updates directly from Google) and enable Lockdown mode for additional protection
6. Replace end-of-life Android devices that no longer receive security patches — older devices without patch support remain permanently vulnerable to known kernel vulnerabilities