In ctlelemreaduser, ctlelemwriteuser of control_compat.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1120.0, "function_hash": "108546834540970082224391656027863927244" }, "id": "PUB-A-265303544-1c383694", "source": "https://android.googlesource.com/kernel/common/+/cc6c5c7fa237f65b08b9618188efe4b24b9cd886", "deprecated": false, "signature_version": "v1", "target": { "file": "sound/core/control.c", "function": "snd_ctl_elem_read" }, "signature_type": "Function" }, { "digest": { "length": 432.0, "function_hash": "110624146881422686246579966075625091336" }, "id": "PUB-A-265303544-a3d349d4", "source": "https://android.googlesource.com/kernel/common/+/cc6c5c7fa237f65b08b9618188efe4b24b9cd886", "deprecated": false, "signature_version": "v1", "target": { "file": "sound/core/control.c", "function": "snd_ctl_elem_read_user" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "186607239495494521708467879435343065615", "212664839145390613949645046363591000271", "149113412087965249285789999789759829250", "38831955080342594281681030311705626136", "2537851518482303166650449799008285652", "229097576403856898208282461426400186192", "40668920917381371557727796699509832693", "269030988961068168477352165339310355473", "34683639759013372286990791926674267764", "70533672557710452064723629541716687229", "294271495427283444300796166215170512256", "181425378123470567080983780060214632848", "20729971361921587414157959717294908533", "193093375844389302646809722951735316713", "300087900115591481794084679833867949444", "307970832768720826231072904430866452061", "82581469905076220839769012484966017757", "323474068548694245121911692978069740543", "87189583438830893185036350527740470068", "218168557449617070597694659820908984599", "217050888083783622938933330720759435266", "172039338081040665959204736151636134986", "4290970684720465065950032129580990899", "61328621556464847727911229436532507196", "143410256173377944969896050248475418633", "85577603903434646525647638053671613602", "256411198170490882597005897306046760777", "150441140108143852574155293743550206083", "219844924398793537918222388243334597605" ] }, "id": "PUB-A-265303544-b3a84caf", "source": "https://android.googlesource.com/kernel/common/+/cc6c5c7fa237f65b08b9618188efe4b24b9cd886", "deprecated": false, "signature_version": "v1", "target": { "file": "sound/core/control.c" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/cc6c5c7fa237f65b08b9618188efe4b24b9cd886" ], "spl": "2023-04-05", "severity": "Moderate", "types": [ "EoP" ] }