CVE-2021-1906

What is Qualcomm GPU Address Management?

Qualcomm Adreno GPUs, embedded in Snapdragon chipsets used across hundreds of millions of Android devices, manage GPU virtual address spaces for each process that uses GPU resources. The GPU driver allocates and deregisters GPU virtual address regions for graphics buffers, compute workloads, and other GPU-mapped resources. When an address deregistration operation fails, the driver must properly handle the error condition — recording the failure, freeing any partially allocated resources, and updating internal tracking structures. If an error condition during deregistration is detected but not acted upon (the vulnerability class described as "Detection of Error Condition Without Action"), subsequent GPU address allocation attempts may fail because the driver's internal state is inconsistent — believing a region is both registered and deregistered simultaneously, leading to allocation failures and potential availability impact.

Overview

CVE-2021-1906 is a vulnerability in multiple Qualcomm chipsets' GPU driver where improper handling of GPU address deregistration failure leads to inconsistent driver state, causing subsequent GPU address allocation failures. The primary CVSS impact is Availability (A:H), reflecting that this condition can result in GPU process crashes or system instability when GPU memory management is disrupted. The vulnerability affects a wide range of Qualcomm Snapdragon chipsets — any device using the affected GPU driver versions. Qualcomm patched it in the April 2021 Security Bulletin; CISA added it to KEV in November 2021.

Affected Versions

Technical Details

• Root cause: Detection of error condition without action — when the GPU driver's address deregistration function encounters a failure condition, it detects the error but does not take corrective action; the failure leaves internal GPU address management structures in an inconsistent state, with a deregistration recorded as complete despite the underlying operation failing
• GPU address allocation failure: The inconsistent state causes subsequent GPU address allocation requests to fail because the driver believes certain address ranges are still in use (never properly deregistered); this prevents new GPU allocations from succeeding, resulting in application crashes for any app attempting GPU-accelerated operations
• A:H impact: Denial of availability at the process or system level — applications relying on GPU resources (camera, video, games, UI rendering) crash; in severe cases, the kernel GPU driver state corruption can trigger device crashes or system instability
• AV:L/PR:N: Exploitable locally without requiring any special privileges — any application running on the device can trigger the vulnerable GPU driver code path through normal GPU API calls
• Broad chipset impact: The Qualcomm security bulletin lists numerous affected chipset families (MDM9607, QCS405, SA415M, SD205, SD210, SM8150, etc.), covering a wide range of Android phones, tablets, embedded systems, and IoT devices using Snapdragon SoCs

Discovery

Identified and patched through Qualcomm's standard security vulnerability disclosure process. Qualcomm published the patch in the April 2021 Security Bulletin. CISA's November 2021 KEV addition reflects confirmed exploitation of the vulnerability in Android devices — consistent with targeted mobile device attacks where GPU driver vulnerabilities are used as part of privilege escalation or stability disruption chains.

Exploitation Context

Qualcomm GPU driver vulnerabilities are of interest to actors targeting Android devices for surveillance or exploitation. While CVE-2021-1906's primary impact is availability (denial of GPU functionality), GPU driver bugs in kernel-mode drivers can be chained with other vulnerabilities to achieve privilege escalation — a corrupted driver state may be leverageable beyond a simple denial of service. Qualcomm chipset vulnerabilities affect the broadest range of Android devices globally (Samsung Galaxy, Motorola, OnePlus, Xiaomi, and many others), making patches dependent on both Qualcomm's bulletin and individual OEM firmware updates. Devices that no longer receive OEM security updates remain permanently vulnerable.

Remediation

1. Apply Android security updates for the April 2021 Security Patch Level (SPL 2021-04-01 or later) — OEM updates incorporating the Qualcomm April 2021 chipset patches
2. Check device security patch level: Settings → About Phone → Android Security Update or Security Patch Level — confirm April 2021 or later
3. Enable automatic security updates on affected devices: Settings → Software Update → Auto download and install
4. For enterprise MDM: enforce minimum security patch level policy across managed Android devices with Qualcomm chipsets
5. Prioritize devices running Qualcomm Snapdragon chipsets (most Android non-Google devices) for security update compliance
6. Replace devices that no longer receive manufacturer security updates — end-of-life Android devices with affected Qualcomm chipsets remain permanently vulnerable