CVE-2021-0340

HIGH

Android 10 - Unredacted Location Information Leak in IsoInterface.java

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-0340. PoCs published by nanopathi, Satheesh575555.

AI-analyzed exploit summary This repository contains the patched source code for the Android MediaProvider component affected by CVE-2021-0340, a local privilege escalation vulnerability. The code includes fixes for improper permission checks in the MediaProvider service, which could allow malicious apps to access sensitive media files.

Description

In parseNextBox of IsoInterface.java, there is a possible leak of unredacted location information due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-134155286

Exploits (2)

nomisec WRITEUP
by nanopathi · poc
https://github.com/nanopathi/packages_providers_MediaProvider_AOSP10_r33_CVE-2021-0340

This repository contains the patched source code for the Android MediaProvider component affected by CVE-2021-0340, a local privilege escalation vulnerability. The code includes fixes for improper permission checks in the MediaProvider service, which could allow malicious apps to access sensitive media files.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Android MediaProvider (AOSP 10 r33)
No auth needed
Prerequisites: Access to a vulnerable Android device · Malicious app with minimal permissions
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by Satheesh575555 · poc
https://github.com/Satheesh575555/packages_providers_MediaProvider_AOSP10_r33_CVE-2021-0340

This repository contains source code files from the Android MediaProvider component, specifically the AOSP10 r33 version affected by CVE-2021-0340. The files include various classes and services related to media handling, but no explicit exploit code or technical analysis is provided.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Android MediaProvider (AOSP10 r33)
No auth needed
Prerequisites: Access to vulnerable Android device
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://source.android.com/security/bulletin/2021-02-01

Scores

CVSS v3 8.8
EPSS 0.0206
EPSS Percentile 78.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-212
Status published
Products (1)
google/android 10.0
Published Feb 10, 2021
Tracked Since Feb 18, 2026