ASB-A-343129193
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/ASB-A-343129193.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-343129193
- Aliases
-
- A-343129193
- CVE-2025-22438
- Published
- 2025-04-01T00:00:00Z
- Modified
- 2025-04-08T16:00:23Z
- Summary
- [none]
- Details
-
In afterKeyEventLockedInterruptable of InputDispatcher.cpp, there is a possible use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
Affected packages
Android / platform/frameworks/native
Package
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"159950434618348112404932011639717993461",
"251130068874848152702911342011700018883",
"309812315689813296124793857319445553897",
"15934354529885839375344483533599180617",
"62680452322183389739726380967039958689"
]
},
"id": "ASB-A-343129193-144dc17c",
"source": "https://android.googlesource.com/platform/frameworks/native/+/f50323a1538fc8da33a14c8ab2ee2fb02d45123d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.h"
},
"signature_type": "Line"
},
{
"digest": {
"length": 5181.0,
"function_hash": "7225614367579260001138295715854138188"
},
"id": "ASB-A-343129193-1e1fd219",
"source": "https://android.googlesource.com/platform/frameworks/native/+/f50323a1538fc8da33a14c8ab2ee2fb02d45123d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.cpp",
"function": "InputDispatcher::afterKeyEventLockedInterruptable"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"61502333314370103843416371831218019802",
"314887369145907602544610540580087213926",
"168096329763800169256753337301089531858",
"215016755901017524291322424868536938609",
"176037456883284026596768622789456098024",
"146278807053206681978306063124517250187",
"139354320051460634143866674216200923065",
"249483770489795114692900078966443136953",
"271514243130603046841709439448686126493",
"82883045109327363599492473515553307989",
"255238664264302092769458344523427464961",
"157303547835243705845294797500724544186",
"216439939200780513788982247478599435334",
"130522391484650342421286630129945237154",
"62519116189107506113068093593709649779"
]
},
"id": "ASB-A-343129193-95fcb596",
"source": "https://android.googlesource.com/platform/frameworks/native/+/f50323a1538fc8da33a14c8ab2ee2fb02d45123d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.cpp"
},
"signature_type": "Line"
},
{
"digest": {
"length": 2015.0,
"function_hash": "157793954941330305983208832721457139567"
},
"id": "ASB-A-343129193-a98e686a",
"source": "https://android.googlesource.com/platform/frameworks/native/+/f50323a1538fc8da33a14c8ab2ee2fb02d45123d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.cpp",
"function": "InputDispatcher::doDispatchCycleFinishedCommand"
},
"signature_type": "Function"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/native/+/f50323a1538fc8da33a14c8ab2ee2fb02d45123d"
],
"spl": "2025-04-01",
"severity": "High",
"types": [
"EoP"
]
}
Android / platform/frameworks/native
Package
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 4910.0,
"function_hash": "77924214385883978679576738862022832706"
},
"id": "ASB-A-343129193-3a181490",
"source": "https://android.googlesource.com/platform/frameworks/native/+/7d7ac480ba006cff1f64eef416bb53f29ef9a146",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.cpp",
"function": "InputDispatcher::afterKeyEventLockedInterruptable"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"272916813047980256495446035476821482710",
"115611667400971894042403805396031379684",
"184896813638000907700655104704207320393",
"82396840426590864152422714726096882536",
"106038658224156774864421599958279043439",
"254369307048575448236416401537424528722",
"212669589425799752893066239503814864054",
"17594782324114365445650127406578693683",
"46746022327974272649862099992470591370",
"150244651663760367568352411127777084464",
"195772785205490978077467148072709586785",
"145459749775824226004547072647237692224",
"180736064032880293857127638477990782434",
"319360596727576648455008791876136892903"
]
},
"id": "ASB-A-343129193-6040e001",
"source": "https://android.googlesource.com/platform/frameworks/native/+/7d7ac480ba006cff1f64eef416bb53f29ef9a146",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.cpp"
},
"signature_type": "Line"
},
{
"digest": {
"length": 1761.0,
"function_hash": "183201712386919302288253379804327848145"
},
"id": "ASB-A-343129193-b904c7c8",
"source": "https://android.googlesource.com/platform/frameworks/native/+/7d7ac480ba006cff1f64eef416bb53f29ef9a146",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.cpp",
"function": "InputDispatcher::doDispatchCycleFinishedCommand"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"149557283037914210267265552861268837594",
"275561151031896725076089099864207847282",
"189049331956307362867007562768652933814",
"190614335634123759904063618450949681247"
]
},
"id": "ASB-A-343129193-baf951d2",
"source": "https://android.googlesource.com/platform/frameworks/native/+/7d7ac480ba006cff1f64eef416bb53f29ef9a146",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.h"
},
"signature_type": "Line"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/native/+/7d7ac480ba006cff1f64eef416bb53f29ef9a146"
],
"spl": "2025-04-01",
"severity": "High",
"types": [
"EoP"
]
}
Android / platform/frameworks/native
Package
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 1761.0,
"function_hash": "183201712386919302288253379804327848145"
},
"id": "ASB-A-343129193-2a4bc77b",
"source": "https://android.googlesource.com/platform/frameworks/native/+/f68fc4c5751d08fdd29488e6c0394efce579cc54",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.cpp",
"function": "InputDispatcher::doDispatchCycleFinishedCommand"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"272916813047980256495446035476821482710",
"115611667400971894042403805396031379684",
"184896813638000907700655104704207320393",
"82396840426590864152422714726096882536",
"106038658224156774864421599958279043439",
"254369307048575448236416401537424528722",
"32102506703905871314638477234965878822",
"309651948326085143552886416580848939070",
"38232731063149067540540954595402249261",
"16998214873056964133155171387118138896",
"150244651663760367568352411127777084464",
"195772785205490978077467148072709586785",
"214956365742103488989034057071775574880",
"108889988987790899425804914581334788099",
"161585016218405061492474320011527773105"
]
},
"id": "ASB-A-343129193-8a2caf10",
"source": "https://android.googlesource.com/platform/frameworks/native/+/f68fc4c5751d08fdd29488e6c0394efce579cc54",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.cpp"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"311380928505758434940509306963907185276",
"157809458925321809625484371393788931803",
"273994770666812008232124080381606098536",
"141686357255351520892512436530105755427",
"193700556358493602684515138268684311286"
]
},
"id": "ASB-A-343129193-92d01bf7",
"source": "https://android.googlesource.com/platform/frameworks/native/+/f68fc4c5751d08fdd29488e6c0394efce579cc54",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.h"
},
"signature_type": "Line"
},
{
"digest": {
"length": 4980.0,
"function_hash": "95720688057429602834626482160242287409"
},
"id": "ASB-A-343129193-ab8c1050",
"source": "https://android.googlesource.com/platform/frameworks/native/+/f68fc4c5751d08fdd29488e6c0394efce579cc54",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/inputflinger/dispatcher/InputDispatcher.cpp",
"function": "InputDispatcher::afterKeyEventLockedInterruptable"
},
"signature_type": "Function"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/native/+/f68fc4c5751d08fdd29488e6c0394efce579cc54"
],
"spl": "2025-04-01",
"severity": "High",
"types": [
"EoP"
]
}