ASB-A-275041864

See a problem?
Import Source
https://storage.googleapis.com/android-osv-test/ASB-A-275041864.json
JSON Data
https://api.test.osv.dev/v1/vulns/ASB-A-275041864
Aliases
Published
2023-07-01T00:00:00Z
Modified
2025-08-06T16:29:06.385449Z
Summary
[none]
Details

In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / :linux_kernel:

Package

Name
:linux_kernel:

Affected ranges

Type
ECOSYSTEM
Events
Introduced
:0
Fixed
:2023-07-05

Affected versions

Other

Kernel

Ecosystem specific 

{
    "spl": "2023-07-05",
    "vanir_signatures": [
        {
            "id": "ASB-A-275041864-1d6cd19e",
            "source": "https://android.googlesource.com/kernel/common/+/1ca1130ec62d",
            "signature_type": "Line",
            "target": {
                "file": "drivers/android/binder.c"
            },
            "deprecated": false,
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "252530102621673318231637335926479342647",
                    "87192875603400529883008250378785255420",
                    "159843565326172231007309767080003006051",
                    "51136168544716794884672869366215500033",
                    "179673804923126895675067540334846865055",
                    "150506422259491266854052407338595924401",
                    "279376322504948356637762812615004606622",
                    "228186972999333401279920280121456493948",
                    "305887402727079857180736650126702107646",
                    "40923539709221891107552011779640203180",
                    "81192290756696598409291837260332988504",
                    "262055034741351384338032470421329258447",
                    "92081050878445695771733973482925951660",
                    "310829386508172285962237967407939503545",
                    "64115575920453203466363693101421696325",
                    "333292109230336727486686548552708909414",
                    "192560114736391899275650914181802579792",
                    "98532720046620784477790178791352067211",
                    "37910882427524754886280449559625828551",
                    "263519947819166742077849170822022642265",
                    "299748562350714225964294965988860959464",
                    "17475403224302800134938502453952523914",
                    "152169479100245268169514822601509725096",
                    "190681293642304026710783929617918540100",
                    "109755974159534571600599633204475863410",
                    "12729838988437282039661691163486572406",
                    "70011498989022892104521938610654535583",
                    "235463455810039749781411056914898646558",
                    "91033220132228591031135005506605760636"
                ],
                "threshold": 0.9
            }
        },
        {
            "id": "ASB-A-275041864-42b77ec3",
            "source": "https://android.googlesource.com/kernel/common/+/1ca1130ec62d",
            "signature_type": "Function",
            "target": {
                "file": "drivers/android/binder.c",
                "function": "binder_free_buf"
            },
            "deprecated": false,
            "signature_version": "v1",
            "digest": {
                "length": 746.0,
                "function_hash": "19363558258063083983609037154046116417"
            }
        },
        {
            "id": "ASB-A-275041864-9b39f865",
            "source": "https://android.googlesource.com/kernel/common/+/1ca1130ec62d",
            "signature_type": "Function",
            "target": {
                "file": "drivers/android/binder.c",
                "function": "binder_proc_transaction"
            },
            "deprecated": false,
            "signature_version": "v1",
            "digest": {
                "length": 1829.0,
                "function_hash": "202011936234455134374258078814169708467"
            }
        },
        {
            "id": "ASB-A-275041864-fc175b07",
            "source": "https://android.googlesource.com/kernel/common/+/1ca1130ec62d",
            "signature_type": "Function",
            "target": {
                "file": "drivers/android/binder.c",
                "function": "binder_transaction_buffer_release"
            },
            "deprecated": false,
            "signature_version": "v1",
            "digest": {
                "length": 3241.0,
                "function_hash": "99493580659905654752352877261084134034"
            }
        }
    ],
    "types": [
        "EoP"
    ],
    "severity": "High",
    "fixes": [
        "https://android.googlesource.com/kernel/common/+/1ca1130ec62d"
    ]
}