In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "252530102621673318231637335926479342647", "87192875603400529883008250378785255420", "159843565326172231007309767080003006051", "51136168544716794884672869366215500033", "179673804923126895675067540334846865055", "150506422259491266854052407338595924401", "279376322504948356637762812615004606622", "228186972999333401279920280121456493948", "305887402727079857180736650126702107646", "40923539709221891107552011779640203180", "81192290756696598409291837260332988504", "262055034741351384338032470421329258447", "92081050878445695771733973482925951660", "310829386508172285962237967407939503545", "64115575920453203466363693101421696325", "333292109230336727486686548552708909414", "192560114736391899275650914181802579792", "98532720046620784477790178791352067211", "37910882427524754886280449559625828551", "263519947819166742077849170822022642265", "299748562350714225964294965988860959464", "17475403224302800134938502453952523914", "152169479100245268169514822601509725096", "190681293642304026710783929617918540100", "109755974159534571600599633204475863410", "12729838988437282039661691163486572406", "70011498989022892104521938610654535583", "235463455810039749781411056914898646558", "91033220132228591031135005506605760636" ] }, "id": "ASB-A-275041864-1d6cd19e", "source": "https://android.googlesource.com/kernel/common/+/1ca1130ec62d", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c" }, "signature_type": "Line" }, { "digest": { "length": 746.0, "function_hash": "19363558258063083983609037154046116417" }, "id": "ASB-A-275041864-42b77ec3", "source": "https://android.googlesource.com/kernel/common/+/1ca1130ec62d", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_free_buf" }, "signature_type": "Function" }, { "digest": { "length": 1829.0, "function_hash": "202011936234455134374258078814169708467" }, "id": "ASB-A-275041864-9b39f865", "source": "https://android.googlesource.com/kernel/common/+/1ca1130ec62d", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_proc_transaction" }, "signature_type": "Function" }, { "digest": { "length": 3241.0, "function_hash": "99493580659905654752352877261084134034" }, "id": "ASB-A-275041864-fc175b07", "source": "https://android.googlesource.com/kernel/common/+/1ca1130ec62d", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_transaction_buffer_release" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/1ca1130ec62d" ], "spl": "2023-07-05", "severity": "High", "types": [ "EoP" ] }