In binderincreffornode of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "259490984353565794537293102785524461468", "267555410826440730617402025523294325463", "119505457408262192768661853975109140881", "142829617297976972460419980282029867651" ] }, "id": "ASB-A-239630375-21d423f3", "source": "https://android.googlesource.com/kernel/common/+/19bb609b45fb", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c" }, "signature_type": "Line" }, { "digest": { "length": 544.0, "function_hash": "144919374509308714361278497894983203773" }, "id": "ASB-A-239630375-c131e652", "source": "https://android.googlesource.com/kernel/common/+/19bb609b45fb", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_inc_ref_for_node" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/19bb609b45fb" ], "spl": "2022-10-05", "severity": "High", "types": [ "EoP" ] }