CVE-2021-1905

What is the Qualcomm GPU Driver?

Qualcomm's Snapdragon System-on-Chips power a large share of Android devices worldwide, including many flagship smartphones from Samsung (Galaxy S series), OnePlus, Xiaomi, Sony, and others. The Qualcomm Adreno GPU driver is the kernel-mode component managing the Adreno GPU hardware in these devices — handling memory mapping, command scheduling, and resource management for all GPU workloads. Like all GPU kernel drivers, the Adreno driver processes requests from multiple concurrent applications simultaneously, managing shared GPU memory resources. Use-after-free vulnerabilities in GPU memory management code are particularly exploitable because the freed memory can be controlled by another concurrent process, allowing the attacker to manipulate kernel data structures and escalate to SYSTEM privileges.

Overview

CVE-2021-1905 is a use-after-free vulnerability (CWE-416) in the Qualcomm Adreno GPU kernel driver, affecting multiple Qualcomm Snapdragon chipsets. The UAF occurs due to improper handling of memory mapping operations when multiple processes simultaneously access GPU memory — the driver frees a memory object while another process still holds a reference to it. A non-privileged local application can exploit this race condition to corrupt kernel memory and gain SYSTEM-level privileges on Android devices. Qualcomm published the fix in its May 2021 Security Bulletin. CISA added this to the KEV catalog in November 2021.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) in Qualcomm's GPU memory mapping code — when multiple processes simultaneously perform memory mapping operations involving the same GPU memory object, a race condition can result in one process freeing the object while another process still holds an active reference; subsequent access through the dangling pointer corrupts kernel memory
• Memory mapping race: GPU memory mapping operations are inherently concurrent — multiple apps run simultaneously and request GPU memory. The Adreno driver manages these shared resources but failed to properly synchronize reference counting, allowing the race-condition UAF
• SYSTEM privilege escalation: Exploiting the UAF provides a kernel heap corruption primitive; by controlling the freed memory's contents, an attacker can overwrite kernel security structures and achieve root/SYSTEM access — breaking the Android app sandbox
• No privileges required (PR:N): Any application on the device can trigger the vulnerable GPU memory mapping code path without special permissions — making the bug accessible to sandboxed apps including compromised browser renderers
• Scope of affected chipsets: The Qualcomm Security Bulletin affected multiple Snapdragon product lines; specific affected chipsets include models in Snapdragon 888, 865, 855, and numerous other series used across the mid-to-high-end Android device ecosystem

Discovery

Reported through Qualcomm's coordinated disclosure process and published in the Qualcomm May 2021 Security Bulletin. Google's Android security team and other researchers contributing to Qualcomm's disclosure program are the likely discoverers. The November 2021 CISA KEV addition confirms that exploitation of unpatched Qualcomm-powered Android devices was observed in the wild.

Exploitation Context

Qualcomm GPU driver vulnerabilities are high-value for Android exploit chain developers because Snapdragon powers a large fraction of Android devices, particularly flagship models that are targeted by commercial surveillance firms. The pattern of mobile surveillance operations (as documented in Google TAG's tracking of commercial spyware vendors) involves browser-based initial exploitation followed by kernel escalation via platform-specific drivers. CVE-2021-1905's no-privilege-required local access makes it particularly useful as a sandbox escape stage: a sandboxed Chrome renderer process can trigger the GPU memory mapping race directly. The long remediation deadline (May 2022) reflects that Android device manufacturers have variable update timelines for Qualcomm chipset patches.

Remediation

1. Apply the latest Android security updates from your device manufacturer — the fix for CVE-2021-1905 is delivered through Android OEM updates incorporating the Qualcomm May 2021 Security Bulletin patch
2. Check Android Security Patch Level (Settings → About Phone → Android Security Patch Level) and ensure it is at least May 2021 for the Qualcomm-specific component
3. For Samsung Galaxy devices: Samsung distributes monthly Samsung Security Updates alongside Android security patches; ensure these are current
4. Devices that no longer receive security updates from their manufacturer are permanently exposed to kernel driver vulnerabilities — replacement with a supported device is the only complete remediation
5. Enable Google Play Protect and restrict app installation to the Google Play Store to reduce the probability of delivering the initial exploit payload
6. For security-sensitive use cases: consider Qualcomm-powered devices with strong update track records (Samsung Galaxy S/A series flagship), or switch to devices with the latest security patches