In locksocknested of sock.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "23347061211291941481806857906102284911", "177002230662709273784008017188721606951", "48376934442674723451773150477588234907", "182299074923096271849129184776724678993", "338676634134201886380325063000256267269", "291290793429430997008888280029755099487", "144172288641749097597953834940837677490", "336369842191703597786746992019606580619", "71065391040256152326279089265785663849", "323652614636588655306470968658792666077", "85746989684007224125230686831696881199", "59410769388531461730540176810929051063", "217131076971137137259778968319834908859", "158810023086232955152764885098882485330", "338676634134201886380325063000256267269", "135099952024222933799081601528028364426", "97021692627629513048798716597852309642", "86193371296286845210734849710227024821", "297085228972537975585287790301781137066", "266439521223484594231214930226963099212", "271182323383272205431929266079022407078" ] }, "id": "PUB-A-174846563-106ccc13", "source": "https://android.googlesource.com/kernel/common/+/769d14abd35e0", "deprecated": false, "signature_version": "v1", "target": { "file": "net/sctp/diag.c" }, "signature_type": "Line" }, { "digest": { "length": 76.0, "function_hash": "289627938984407819320593096123563229491" }, "id": "PUB-A-174846563-143af40f", "source": "https://android.googlesource.com/kernel/common/+/769d14abd35e0", "deprecated": false, "signature_version": "v1", "target": { "file": "net/sctp/endpointola.c", "function": "sctp_endpoint_hold" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "309383236726669950585157689903458752515", "88260067284349508674870075420060564826", "155292910023572277903270872531702950838", "134290720386689805509421112861744409388", "137027131051176327367587178198067611650", "105526423192713990914016495304444566670", "6131714833563070702088356873832316837", "270597856673008406909092052482272803316" ] }, "id": "PUB-A-174846563-1541fde2", "source": "https://android.googlesource.com/kernel/common/+/769d14abd35e0", "deprecated": false, "signature_version": "v1", "target": { "file": "include/net/sctp/structs.h" }, "signature_type": "Line" }, { "digest": { "length": 607.0, "function_hash": "163259973829971906389599524297629906217" }, "id": "PUB-A-174846563-1630c632", "source": "https://android.googlesource.com/kernel/common/+/769d14abd35e0", "deprecated": false, "signature_version": "v1", "target": { "file": "net/sctp/socket.c", "function": "sctp_for_each_transport" }, "signature_type": "Function" }, { "digest": { "length": 1260.0, "function_hash": "126825142230646115460025181308384348397" }, "id": "PUB-A-174846563-22e1eacf", "source": "https://android.googlesource.com/kernel/common/+/769d14abd35e0", "deprecated": false, "signature_version": "v1", "target": { "file": "net/sctp/diag.c", "function": "sctp_sock_dump" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "21029744086309906970192052545801022644", "106626585854412762394079991574934827856", "50472161052762845031951012452900617485", "161416688380122876796813718749523477740", "201400781867629564491302620713910763644", "135879850248734875220118336854112733897", "237041325697964225834429682552458975556", "41173980032348538667588302154121489846", "113562329963194921225501512825865264236" ] }, "id": "PUB-A-174846563-7f204eef", "source": "https://android.googlesource.com/kernel/common/+/769d14abd35e0", "deprecated": false, "signature_version": "v1", "target": { "file": "include/net/sctp/sctp.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "77193003971849626018765633387649046973", "82115348930108064197334200024154074498", "269294668493860627699164151471595859596", "43650239782021040008766962902246222476", "163270045153988776586878691775726133960", "315911071379310057430653051766749740245", "186201964194282393744418514394443606371", "296980782533405293265090397253198875652", "270293343885687206722616696434647117664", "121785418128703810881838935323955722146", "52695996913667367082078284090442762055", "36214710859350875217012576783547298531", "165385393037156771776296065381759236306", "340103536046995691884541934066684729201", "267199293733246693683458233170125595373", "46958561471194245189831729508447736562", "44096646829538136613692942564487221239", "69887669591234300476500013493416067482", "287433118589882673733146831615774929913", "207011356434488265614941819158240886511", "25771891663138874142886022233768142948", "101958866392095468117239515781232537850", "2021272789740270285622707479131571873", "112722235892719158983243476694290259423", "9146097746976765165105370416997648494", "322296279780217818017213369637734780454", "233689922645175987651037017009216159089", "115220128488945262303025556472777370136", "91704628221969302552468011035767942819" ] }, "id": "PUB-A-174846563-8b402d12", "source": "https://android.googlesource.com/kernel/common/+/769d14abd35e0", "deprecated": false, "signature_version": "v1", "target": { "file": "net/sctp/socket.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "136705704668287840838098663425903034513", "209011007118665923910912207593411207834", "195304914403678243150676024956944031826", "234261603079972679903775017704876541856", "160982432776247276356533607157783564410", "231748902300842946121468390622158524838", "105702593457023692281795196419238299983", "166824963132324437765813543408167983364", "251960731091318363314892629619975711501", "208190353853242567467607915468660235125", "102563894740154053488831973439967749797", "219675865577385818886984314696480683657", "27342335990728957538735726433258772481", "328276165476366546641643445894555965025" ] }, "id": "PUB-A-174846563-a0e935f9", "source": "https://android.googlesource.com/kernel/common/+/769d14abd35e0", "deprecated": false, "signature_version": "v1", "target": { "file": "net/sctp/endpointola.c" }, "signature_type": "Line" }, { "digest": { "length": 618.0, "function_hash": "95825773360939100849072090054173255776" }, "id": "PUB-A-174846563-c6208bdd", "source": "https://android.googlesource.com/kernel/common/+/769d14abd35e0", "deprecated": false, "signature_version": "v1", "target": { "file": "net/sctp/endpointola.c", "function": "sctp_endpoint_destroy" }, "signature_type": "Function" }, { "digest": { "length": 436.0, "function_hash": "219892017511828597570517694760514253467" }, "id": "PUB-A-174846563-cf1e5d11", "source": "https://android.googlesource.com/kernel/common/+/769d14abd35e0", "deprecated": false, "signature_version": "v1", "target": { "file": "net/sctp/diag.c", "function": "sctp_sock_filter" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/769d14abd35e0" ], "spl": "2022-06-05", "severity": "Moderate", "types": [ "EoP" ] }