In unixscmtoskb of afunix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "317645370177825904117873425656913577228", "23828740084025546938029917959519242808", "17269500315359691155487481734165125553", "205518783801997791516617245688006293375", "126356142158529450982823959694424517468", "44555724291630707007541518954774462457", "49331023050186846796322229840320377836", "94483555152327774149700679998842424920", "285055582276144316951777175994396485683", "61015202346409625043268567667128470858", "319719393801817372111466737393311031907" ] }, "id": "ASB-A-196926917-515bd5b5", "source": "https://android.googlesource.com/kernel/common/+/cbcf01128d0a92e131bd09f1688fe032480b65ca", "deprecated": false, "signature_version": "v1", "target": { "file": "net/unix/af_unix.c" }, "signature_type": "Line" }, { "digest": { "length": 3152.0, "function_hash": "153461108373016994627573252914252607553" }, "id": "ASB-A-196926917-d9513ecd", "source": "https://android.googlesource.com/kernel/common/+/cbcf01128d0a92e131bd09f1688fe032480b65ca", "deprecated": false, "signature_version": "v1", "target": { "file": "net/unix/af_unix.c", "function": "unix_stream_read_generic" }, "signature_type": "Function" }, { "digest": { "length": 1919.0, "function_hash": "222800221791782858025618860169069511688" }, "id": "ASB-A-196926917-ed2800bf", "source": "https://android.googlesource.com/kernel/common/+/cbcf01128d0a92e131bd09f1688fe032480b65ca", "deprecated": false, "signature_version": "v1", "target": { "file": "net/unix/af_unix.c", "function": "unix_dgram_recvmsg" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/cbcf01128d0a92e131bd09f1688fe032480b65ca" ], "spl": "2021-11-05", "severity": "High", "types": [ "EoP" ] }