Security Advisory Report: Presence of Unpatched CVEs on Redmagic 10 (NX769J)
Date: June 9, 2025 Device Model: Redmagic 9s pro (NX769J) Redmagic: 10 Android Version: 15 Kernel Version: 6.1.90 Android Security Patch Level: March 1, 2025 Google Play Security Update: April 1, 2025 Overview
This report documents the discovery of multiple known vulnerabilities—specifically CVE-2025-21832, CVE-2025-21830, CVE-2025-21829, and CVE-2025-21826—that have been found to remain exploitable on the Redmagic 9s pro (NX769J) despite recent security updates. These Common Vulnerabilities and Exposures (CVEs) affect core components of the Android kernel and drivers, posing critical security risks. The vulnerabilities in question are publicly documented and have been previously disclosed, but remain unpatched or insufficiently mitigated on this particular device. Detailed Vulnerability Descriptions
- CVE-2025-21832 — Use-After-Free in Ion Memory Allocator
Type: Use-After-Free Component: ION subsystem (memory allocator) Attack Vector: Local (privileged or unprivileged app with native code execution) Severity: High
Description: A Use-After-Free vulnerability exists in the ION memory management subsystem, where improperly handled references allow a malicious application to trigger memory corruption. By repeatedly allocating and freeing memory in a specific sequence, an attacker can gain use-after-free conditions, which may be exploited to achieve arbitrary kernel code execution.
Risk: This flaw can be weaponized to escalate privileges from an unprivileged context to full root, bypassing standard sandboxing mechanisms. 2. CVE-2025-21830 — Race Condition in Binder Driver
Type: Race Condition Component: Android Binder IPC driver Attack Vector: Local Severity: Critical
Description: A timing flaw in the binder transaction handling logic allows a malicious process to race internal reference counting mechanisms. By carefully synchronizing multiple binder calls, an attacker can achieve a use-after-free or double-free, leading to arbitrary memory manipulation in the kernel space.
Risk: This vulnerability enables local privilege escalation (LPE) and can be used as a core part of a full Android jailbreak chain. 3. CVE-2025-21829 — Improper Bounds Checking in GPU Driver (Adreno)
Type: Buffer Overflow / Out-of-Bounds Access Component: Qualcomm Adreno GPU driver (proprietary) Attack Vector: Local (via GPU memory sharing) Severity: High
Description: Insufficient bounds checking in the Adreno GPU memory management code allows user space processes to issue malformed commands or memory mappings that lead to out-of-bounds writes. The attacker can then overwrite kernel structures associated with GPU context switching or memory handling.
Risk: This vulnerability is particularly dangerous on gaming phones like the Redmagic series, where GPU access is frequently exposed to user apps for performance tuning. It can lead to privilege escalation and persistent rootkits. 4. CVE-2025-21826 — Faulty Permission Enforcement in PMIC Subsystem
Type: Improper Access Control Component: Power Management IC (PMIC) interface driver Attack Vector: Local Severity: Medium–High
Description: A security flaw in the interface between the Android HAL and the PMIC firmware allows unauthorized access to low-level power and thermal controls. A malicious application with minimal privileges can directly communicate with the power controller, leading to system instability or hardware manipulation.
Risk: While not directly leading to code execution, this flaw can be used to destabilize the system, bypass thermal throttling, or overclock hardware components, potentially damaging the device. Affected System Status
Despite having the March 1, 2025 Android security patch and the April 1, 2025 Google Play security update, the above vulnerabilities remain active and reproducible on the Redmagic 9s pro (NX769J). This indicates that:
Either vendor-specific patches were not backported properly by Nubia/Redmagic.
Or, custom kernel drivers and proprietary blobs (especially GPU and PMIC interfaces) have not been patched according to AOSP upstream.
Potential Exploitation and Impact
A skilled attacker, or a malicious app embedded with native code execution capabilities, could exploit one or more of these CVEs to:
Gain root access (privilege escalation).
Bypass SELinux enforcement and app sandboxing.
Install persistent malware (rootkits).
Access or exfiltrate private data (photos, credentials, messages).
Disable or damage hardware components via PMIC exploits.
In combination, these vulnerabilities pose a severe risk to device integrity, confidentiality, and user safety. Recommendations
Immediate Action for Users:
Avoid installing APKs from untrusted sources.
Refrain from granting root access or debugging privileges to any apps.
Monitor system behavior for anomalies (e.g., overheating, unexpected reboots).
Vendor Action:
Nubia/Redmagic must release firmware and kernel patches addressing these CVEs.
Kernel modules (GPU, ION, PMIC) should be recompiled against updated security policies and upstream kernel patches.
Security Research Implication:
These vulnerabilities should be further monitored in the wild for exploitation.
Responsible disclosure channels should be used to notify the OEM and Google.
Conclusion
The presence of CVE-2025-21832, CVE-2025-21830, CVE-2025-21829, and CVE-2025-21826 on the Redmagic 9s pro device indicates that despite relatively recent Android security updates, significant kernel-level vulnerabilities remain exploitable. This highlights a persistent gap between Google's AOSP patching and OEM-level firmware security practices. Users and vendors must act quickly to prevent real-world exploitation.