In binderalloccopytobuffer of binder.c, there is a possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 957.0, "function_hash": "66753507924836775910400560798142281790" }, "id": "ASB-A-320661088-1c1d774f", "source": "https://android.googlesource.com/kernel/common/+/7a2aa337ab8235460c1efa92a846eaeade5f2514", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_get_object" }, "signature_type": "Function" }, { "digest": { "length": 957.0, "function_hash": "66753507924836775910400560798142281790" }, "id": "ASB-A-320661088-79c2ae95", "source": "https://android.googlesource.com/kernel/common/+/bf4f9bc41c3b5203e1e7284e1de78e82f0630473", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_get_object" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "29115821783006995889220911580082480479", "280393994292968683621617742395637642131", "324603365971076042156409818351823863238", "313249326651371733232230128638963259074", "35997565425222343542021450846225411228" ] }, "id": "ASB-A-320661088-b04bf23b", "source": "https://android.googlesource.com/kernel/common/+/7a2aa337ab8235460c1efa92a846eaeade5f2514", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "29115821783006995889220911580082480479", "280393994292968683621617742395637642131", "324603365971076042156409818351823863238", "313249326651371733232230128638963259074", "35997565425222343542021450846225411228" ] }, "id": "ASB-A-320661088-d47c8524", "source": "https://android.googlesource.com/kernel/common/+/bf4f9bc41c3b5203e1e7284e1de78e82f0630473", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/bf4f9bc41c3b5203e1e7284e1de78e82f0630473", "https://android.googlesource.com/kernel/common/+/7a2aa337ab8235460c1efa92a846eaeade5f2514" ], "spl": "2024-06-05", "severity": "High", "types": [ "EoP" ] }