Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2021-0473

CVE-2021-0473: Google Android NFC RCE Vulnerability

CVE-2021-0473 is a remote code execution vulnerability in Google Android's NFC component caused by a double free due to uninitialized data. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2021-0473 Overview

CVE-2021-0473 is a double free vulnerability in the Android Near Field Communication (NFC) stack. The flaw resides in the rw_t3t_process_error function of rw_t3t.cc, which handles error processing for Type 3 Tag reads and writes. Uninitialized data triggers a double free condition that an adjacent attacker can leverage for remote code execution over NFC. Exploitation requires no user interaction and no additional execution privileges. The vulnerability affects Android 8.1, 9, 10, and 11, and is tracked internally by Google as A-179687208.

Critical Impact

An attacker within NFC range can trigger remote code execution on an affected Android device without user interaction, gaining control of the NFC service context.

Affected Products

  • Google Android 8.1
  • Google Android 9
  • Google Android 10
  • Google Android 11

Discovery Timeline

  • 2021-06-11 - CVE-2021-0473 published to the National Vulnerability Database (NVD)
  • 2021-05-01 - Google releases security patch in the Android Security Bulletin
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-0473

Vulnerability Analysis

The vulnerability exists in rw_t3t_process_error, the error handler for the NFC Forum Type 3 Tag (T3T) reader/writer module in the Android NFC stack. The function consumes a data structure containing pointers that are not consistently initialized across all code paths. When the error handler runs against this partially initialized state, it frees a heap pointer that has either already been freed elsewhere or that was never owned exclusively by the handler. This produces a classic double free condition tracked under [CWE-908: Use of Uninitialized Resource].

The NFC service runs as a privileged system component with access to hardware interfaces. A successful exploit corrupts heap metadata, enabling an attacker to influence subsequent allocations and ultimately redirect execution flow within the NFC process. The proximity requirement limits the attack surface compared to fully remote network bugs, but the absence of user interaction makes the issue especially valuable in targeted attack scenarios involving rogue NFC tags or NFC-equipped attacker devices.

Root Cause

The root cause is the use of uninitialized stack or structure data inside the Type 3 Tag error processing routine. When specific error sequences occur during NFC tag interaction, fields that the handler assumes are zeroed retain residual values. The handler then issues a free call against a stale or duplicated pointer, breaking heap invariants.

Attack Vector

Exploitation requires the attacker to be within NFC range, typically a few centimeters from the victim device. The attacker presents a crafted Type 3 Tag, or operates an NFC peer device, that triggers the specific error path inside rw_t3t_process_error. No user tap, prompt, or unlock action is required beyond the device being powered with NFC enabled. The vulnerability description in the Android Security Bulletin and the NVD entry contain the authoritative technical detail; no public proof-of-concept exploit is currently available.

Detection Methods for CVE-2021-0473

Indicators of Compromise

  • Unexpected crashes or restarts of the com.android.nfc system process recorded in logcat or tombstone files.
  • Native crash signatures referencing rw_t3t.cc, rw_t3t_process_error, or libnfc-nci with SIGABRT or SIGSEGV signals.
  • NFC service memory abort traces correlated with the device being near unknown NFC tags or readers.

Detection Strategies

  • Collect Android tombstone and dropbox crash artifacts from managed devices and alert on repeated NFC stack faults.
  • Monitor mobile threat defense telemetry for indicators that NFC was active in physically uncontrolled environments.
  • Correlate NFC service crashes with subsequent anomalous process behavior on the device.

Monitoring Recommendations

  • Enroll Android devices in an enterprise mobility management (EMM) platform that reports patch level and surfaces devices below the May 2021 security patch level.
  • Track Android Security Patch Level (SPL) compliance across the fleet and flag devices still on builds prior to 2021-05-01.
  • Forward device crash and security telemetry into a centralized data lake for retrospective hunting against NFC stack signatures.

How to Mitigate CVE-2021-0473

Immediate Actions Required

  • Apply the Android security update with patch level 2021-05-01 or later on all affected devices.
  • Disable NFC on devices that cannot be patched, particularly those still running Android 8.1 or 9 without vendor updates.
  • Inventory unpatched Android endpoints and prioritize remediation for devices used in public or high-risk physical environments.

Patch Information

Google addressed CVE-2021-0473 in the Android Security Bulletin May 2021. Device manufacturers integrated the fix into vendor-specific Android builds shipping the 2021-05-01 security patch level or later. Verify the patch level in Settings > About phone > Android security update before considering a device remediated.

Workarounds

  • Turn off NFC in device settings until the security update is installed.
  • Restrict use of NFC payments, transit cards, and tag-based workflows on vulnerable devices.
  • Retire or replace devices on Android versions that no longer receive security updates from the manufacturer.
bash
# Verify Android security patch level via adb
adb shell getprop ro.build.version.security_patch
# Expected output for remediation: 2021-05-01 or later

# Disable NFC as a temporary workaround (requires appropriate permissions)
adb shell svc nfc disable

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne