In bindervmaclose of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "100875016308097048072291723447710811875", "149568884223429909118461864484845063531", "70213872906120777345980907773890985356", "86488574879235347096510238924366881850", "102197622046000173361911449232118828731", "297695735167916381244666377250959927645", "104464989245594042592166828400026512939", "131812476344507624725627465123447311598", "39956935989143500963478394144784119019", "196563358893118200776470466394375565434", "104464989245594042592166828400026512939", "72179324111657337252246212890390875994" ] }, "id": "ASB-A-254837884-c24e19f2", "source": "https://android.googlesource.com/kernel/common/+/201d5f4a3ec1", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder_alloc.c" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/201d5f4a3ec1" ], "spl": "2023-01-05", "severity": "High", "types": [ "EoP" ] }