In ipcSetDataReference of Parcel.cpp, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1276.0, "function_hash": "144609664463200789840411049854569021572" }, "id": "ASB-A-203847542-b60b1a8c", "source": "https://android.googlesource.com/platform/frameworks/native/+/d668098e4714025b41052207c9332de86dc3936a", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/binder/Parcel.cpp", "function": "Parcel::ipcSetDataReference" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "98137480975788759579922814741327671228", "296481944491939447479301249339620908390", "255680770530481632092119999480852922173", "335918368435902695206397568346019004575", "132768507783080792642256092800878294969", "103982756747036362728424074686863731880", "185907099120875731621615021484317954078" ] }, "id": "ASB-A-203847542-c4233554", "source": "https://android.googlesource.com/platform/frameworks/native/+/d668098e4714025b41052207c9332de86dc3936a", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/binder/Parcel.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/native/+/d668098e4714025b41052207c9332de86dc3936a" ], "spl": "2022-01-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "98137480975788759579922814741327671228", "296481944491939447479301249339620908390", "255680770530481632092119999480852922173", "335918368435902695206397568346019004575", "132768507783080792642256092800878294969", "103982756747036362728424074686863731880", "185907099120875731621615021484317954078" ] }, "id": "ASB-A-203847542-5ce76df0", "source": "https://android.googlesource.com/platform/frameworks/native/+/7c8497e0127dde63957ee39e90e62b119d09948d", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/binder/Parcel.cpp" }, "signature_type": "Line" }, { "digest": { "length": 1139.0, "function_hash": "332897563253174728649794722178199941684" }, "id": "ASB-A-203847542-c9140953", "source": "https://android.googlesource.com/platform/frameworks/native/+/7c8497e0127dde63957ee39e90e62b119d09948d", "deprecated": false, "signature_version": "v1", "target": { "file": "libs/binder/Parcel.cpp", "function": "Parcel::ipcSetDataReference" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/native/+/7c8497e0127dde63957ee39e90e62b119d09948d" ], "spl": "2022-01-01", "severity": "High", "types": [ "EoP" ] }