In xfrmstatefini and related functions of xfrm_state.c and related files, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "243161038827417096249117573138058777384", "2533267672426962681489286755455487889", "332694360237361977395182802341411362187" ] }, "id": "PUB-A-191191823-19b36eff", "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399", "deprecated": false, "signature_version": "v1", "target": { "file": "include/net/xfrm.h" }, "signature_type": "Line" }, { "digest": { "length": 408.0, "function_hash": "6852462641908386585231461938522555527" }, "id": "PUB-A-191191823-a4aa4dff", "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399", "deprecated": false, "signature_version": "v1", "target": { "file": "net/ipv6/xfrm6_tunnel.c", "function": "xfrm6_tunnel_net_exit" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "229523491602531160254065325555422879319", "197281378742686019844393500848894072709", "228849362016189875298579074914545463885", "123416886296457462454909832722580561112", "109660003496568191125696794790970104126", "138362605100217816335591702430092581019", "283486307793756631151039538623233244132", "168437063971864032226983419579197506024", "109903552203742180102891192853726083337", "218783971530653667576326592185539146816", "61905635418335728281139742996708078973", "64956988977403150703103618655309563032", "10159363312468416494411373139083858061", "230854622574928264560172461107740349273", "242175030523505564915220495847088454605", "267868390585593816517915983992887850017" ] }, "id": "PUB-A-191191823-bbefcf37", "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399", "deprecated": false, "signature_version": "v1", "target": { "file": "net/xfrm/xfrm_user.c" }, "signature_type": "Line" }, { "digest": { "length": 919.0, "function_hash": "258793581796817467857631674352932460528" }, "id": "PUB-A-191191823-bfb85366", "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399", "deprecated": false, "signature_version": "v1", "target": { "file": "net/xfrm/xfrm_user.c", "function": "validate_tmpl" }, "signature_type": "Function" }, { "digest": { "length": 638.0, "function_hash": "159688494881237414820018288092704824487" }, "id": "PUB-A-191191823-c7e2f3e7", "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399", "deprecated": false, "signature_version": "v1", "target": { "file": "net/xfrm/xfrm_state.c", "function": "xfrm_state_fini" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "334119904790110196879810912817670783742", "307855993762072398891459568333205928644", "210678993606077500116061939022504978348", "329715576545611587226342160905857423912" ] }, "id": "PUB-A-191191823-daa424a1", "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399", "deprecated": false, "signature_version": "v1", "target": { "file": "net/ipv6/xfrm6_tunnel.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "139829487342025565876134762685900894426", "208878218324934034428961596748072993814", "214525917770506738197174906734251663048", "178983729390585286081504476329595606588", "52889798868292353760802554894756158332" ] }, "id": "PUB-A-191191823-e3dda7a6", "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399", "deprecated": false, "signature_version": "v1", "target": { "file": "net/key/af_key.c" }, "signature_type": "Line" }, { "digest": { "length": 1141.0, "function_hash": "322891837955063607216551630497528273955" }, "id": "PUB-A-191191823-f6cce137", "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399", "deprecated": false, "signature_version": "v1", "target": { "file": "net/key/af_key.c", "function": "parse_ipsecrequest" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "290396018789963347844672641138512346602", "274682750171497662749304830912080441716", "162785980661114099367108606951023614806", "318860455114264030518797770141199847702" ] }, "id": "PUB-A-191191823-fd212021", "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399", "deprecated": false, "signature_version": "v1", "target": { "file": "net/xfrm/xfrm_state.c" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399" ], "spl": "2021-10-05", "severity": "Moderate", "types": [ "EoP" ] }