In kernel/bpf/verifier.c , there is a possible way to manipulate pointer arithmetic due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "18768621085448646307001774199887104283", "93374316942925291244273634967322974642", "161590431358123676568935454992550880906", "92148593491386859782013470932680897551", "123659105662047396412296602146039075125", "195818613178541754245504552110243103958", "43450431872990335751792943591283670313", "106987073898418360256637578858320473377", "183347015836270441868035023872223045084", "212073938337863780447978151052667766045", "309670263801451798605381809681899651599", "247614672319011049154811586334740522044", "237473971868900634033954528060497004504" ] }, "id": "PUB-A-215814262-4090b204", "source": "https://android.googlesource.com/kernel/common/+/35ab8c9085b0a", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c" }, "signature_type": "Line" }, { "digest": { "length": 4756.0, "function_hash": "322483173983893910112606866589989019594" }, "id": "PUB-A-215814262-cb31468c", "source": "https://android.googlesource.com/kernel/common/+/35ab8c9085b0a", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c", "function": "adjust_ptr_min_max_vals" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/35ab8c9085b0a" ], "spl": "2022-06-05", "severity": "Moderate", "types": [ "EoP" ] }