In u32destroykey and related functions of cls_u32.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "12017464697272376360987189896020453373", "165231272990745208968986246096614300069", "87650411860073721519959697817878930347", "88694137705524582580283107960433414973", "224285556317071150239673333363294070043", "144235103204564871651266205177890851851", "157244778432830356029186041127852239806", "21813636616839787135585863339382516964", "252670340304475351347883320302141467185", "192365946415484217726774929876015375710", "47800162176297341138108122538091553217", "47724439811176151872579890481740506838", "239874854340968674947247384111587784877", "130392416201730244011379719188200507134", "46946862416912281296113593460524542671", "166078287458666762714164497717527077339", "202849110814589256742921006678392152027", "42661982679347269166491627993939027840", "117989092257963302905714203891891025712", "140618196356520074686234444381927648505", "285311416879944560634137249576817089678", "243143923999761648029549941851657588765", "42661982679347269166491627993939027840", "2767581338422267267398979711530137858" ] }, "id": "PUB-A-233075473-29f81379", "source": "https://android.googlesource.com/kernel/common/+/b5a54d8de219f9affbd98e94ccdbaa7781e7a555", "deprecated": false, "signature_version": "v1", "target": { "file": "net/sched/cls_u32.c" }, "signature_type": "Line" }, { "digest": { "length": 5780.0, "function_hash": "54577984981276901081971127704180670658" }, "id": "PUB-A-233075473-9da0c358", "source": "https://android.googlesource.com/kernel/common/+/b5a54d8de219f9affbd98e94ccdbaa7781e7a555", "deprecated": false, "signature_version": "v1", "target": { "file": "net/sched/cls_u32.c", "function": "u32_change" }, "signature_type": "Function" }, { "digest": { "length": 414.0, "function_hash": "199640517961603568396860261614330980616" }, "id": "PUB-A-233075473-b238edc2", "source": "https://android.googlesource.com/kernel/common/+/b5a54d8de219f9affbd98e94ccdbaa7781e7a555", "deprecated": false, "signature_version": "v1", "target": { "file": "net/sched/cls_u32.c", "function": "u32_destroy_key" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/b5a54d8de219f9affbd98e94ccdbaa7781e7a555" ], "spl": "2022-08-05", "severity": "Moderate", "types": [ "EoP" ] }