ASB-A-439862698
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/ASB-A-439862698.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-439862698
- Aliases
-
- A-439862698
- CVE-2025-40266
- Published
- 2026-03-01T00:00:00Z
- Modified
- 2026-03-02T17:41:28.651572Z
- Summary
- [none]
- Details
-
In _doffamemxfer of ffa.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
-
- https://source.android.com/security/bulletin/2026-03-01
- https://android.googlesource.com/kernel/common/+/c562f4013ec6771ede259cbec802c85dfdfdf00e
- https://android.googlesource.com/kernel/common/+/a45fbd0b57716dd1cc1dd5cfcf7a2756afcbc263
- https://android.googlesource.com/kernel/common/+/8cb652476b6303efe2584d38be8b20a84c141f95
Affected packages
Android / :linux_kernel:
Package
- Name
- :linux_kernel:
Ecosystem specific
{
"vanir_signatures": [
{
"id": "ASB-A-439862698-162ff1bd",
"signature_version": "v1",
"deprecated": false,
"source": "https://android.googlesource.com/kernel/common/+/a45fbd0b57716dd1cc1dd5cfcf7a2756afcbc263",
"target": {
"file": "arch/arm64/kvm/hyp/nvhe/ffa.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"327812027001212326326252351884516186619",
"44176443179071931831701391939500011105",
"147489824640429166335512541612647458576",
"80918826664977494976884259846067450060",
"183352263161185645109269852009209379679",
"98444722238491462110173671000953519696",
"321097935536673174331856265303542705887",
"311492429357484760124098319023982015442",
"4811309015228106692246208323283665967",
"182590468087232917895804921850349675620",
"205300576309583408248724153882582836257"
]
},
"signature_type": "Line"
},
{
"id": "ASB-A-439862698-2f6361f9",
"signature_version": "v1",
"deprecated": false,
"source": "https://android.googlesource.com/kernel/common/+/8cb652476b6303efe2584d38be8b20a84c141f95",
"target": {
"function": "__do_ffa_mem_xfer",
"file": "arch/arm64/kvm/hyp/nvhe/ffa.c"
},
"digest": {
"length": 3711.0,
"function_hash": "76030628294537293287519997211814314981"
},
"signature_type": "Function"
},
{
"id": "ASB-A-439862698-6e18a575",
"signature_version": "v1",
"deprecated": false,
"source": "https://android.googlesource.com/kernel/common/+/c562f4013ec6771ede259cbec802c85dfdfdf00e",
"target": {
"function": "__do_ffa_mem_xfer",
"file": "arch/arm64/kvm/hyp/nvhe/ffa.c"
},
"digest": {
"length": 1869.0,
"function_hash": "186427790654760095921723212299028633834"
},
"signature_type": "Function"
},
{
"id": "ASB-A-439862698-a017713c",
"signature_version": "v1",
"deprecated": false,
"source": "https://android.googlesource.com/kernel/common/+/a45fbd0b57716dd1cc1dd5cfcf7a2756afcbc263",
"target": {
"function": "__do_ffa_mem_xfer",
"file": "arch/arm64/kvm/hyp/nvhe/ffa.c"
},
"digest": {
"length": 1926.0,
"function_hash": "5154797593202986614901382262329245182"
},
"signature_type": "Function"
},
{
"id": "ASB-A-439862698-cc9c14b2",
"signature_version": "v1",
"deprecated": false,
"source": "https://android.googlesource.com/kernel/common/+/8cb652476b6303efe2584d38be8b20a84c141f95",
"target": {
"file": "arch/arm64/kvm/hyp/nvhe/ffa.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"56978094037872832168860887538617948574",
"331374993265782233906655642277367113391",
"141724634923355513390153563463580479995",
"3149900303226239789257214458860780420",
"320128571396765697889641353859536140478",
"312931568109404009576793046668471555869",
"32833854522265081352954976423282186580",
"193643394276807855120611146299365349165"
]
},
"signature_type": "Line"
},
{
"id": "ASB-A-439862698-e2068330",
"signature_version": "v1",
"deprecated": false,
"source": "https://android.googlesource.com/kernel/common/+/c562f4013ec6771ede259cbec802c85dfdfdf00e",
"target": {
"file": "arch/arm64/kvm/hyp/nvhe/ffa.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"115127725875242646202627530853255612593",
"44176443179071931831701391939500011105",
"147489824640429166335512541612647458576",
"80918826664977494976884259846067450060",
"183352263161185645109269852009209379679",
"98444722238491462110173671000953519696",
"321097935536673174331856265303542705887",
"311492429357484760124098319023982015442",
"4811309015228106692246208323283665967",
"182590468087232917895804921850349675620",
"205300576309583408248724153882582836257"
]
},
"signature_type": "Line"
}
],
"types": [
"EoP"
],
"spl": "2026-03-05",
"severity": "High",
"fixes": [
"https://android.googlesource.com/kernel/common/+/c562f4013ec6771ede259cbec802c85dfdfdf00e",
"https://android.googlesource.com/kernel/common/+/a45fbd0b57716dd1cc1dd5cfcf7a2756afcbc263",
"https://android.googlesource.com/kernel/common/+/8cb652476b6303efe2584d38be8b20a84c141f95"
]
}