{"id":"ASB-A-185125206","details":"In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-185125206","CVE-2021-39698"],"modified":"2026-03-11T06:04:59.368651Z","published":"2022-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-03-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/42288cb44c4b"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/a880b28a71e3"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/9537bae0da1f"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/363bee27e258"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/50252e4b5e98"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2022-03-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/kernel/common/+/42288cb44c4b","https://android.googlesource.com/kernel/common/+/a880b28a71e3","https://android.googlesource.com/kernel/common/+/9537bae0da1f","https://android.googlesource.com/kernel/common/+/363bee27e258","https://android.googlesource.com/kernel/common/+/50252e4b5e98"],"spl":"2022-03-05","vanir_signatures":[{"id":"ASB-A-185125206-0ac9e315","digest":{"length":398,"function_hash":"48664362563097039085937984030622063159"},"target":{"function":"aio_poll_cancel","file":"fs/aio.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/363bee27e258"},{"id":"ASB-A-185125206-226c86e8","digest":{"length":379,"function_hash":"308048047356879514759023181521934442748"},"target":{"function":"aio_poll_cancel","file":"fs/aio.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/50252e4b5e98"},{"id":"ASB-A-185125206-37702b94","digest":{"length":1523,"function_hash":"286068233086057103825368097150131609215"},"target":{"function":"binder_thread_release","file":"drivers/android/binder.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/a880b28a71e3"},{"id":"ASB-A-185125206-40183ca8","digest":{"length":1555,"function_hash":"126875804775231147870201195932557025459"},"target":{"function":"aio_poll","file":"fs/aio.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/50252e4b5e98"},{"id":"ASB-A-185125206-4e199bbc","digest":{"line_hashes":["103916783104200225590315384564690618197","236509916116266473763258182693507802742","259396545084157868375856052904919317990","216563909856872903011323845599559178225","12935958415669728427273859226269780261","232477855709712011546985403374999130140","38831775736977076894545359179532822341","118658252037286368458906578258874855382","176982169692379114039839514080990250346","104553538000156914569600823498682441290","137044513656280945817186712229539923878","328321547004239131670705461366780532499","31369718469835440617969541934242286972","66926286447589769034882470391588583933","191489564456247227330801345239873711327","305016742332351135084166958525980282687","6027948235401509478656525517962745394","309246750004774701880627881223762794808","22198911719718862665757955789024710739","207075542232579074507606523505635544047","318589412445344306456427818642976683913","172885276292568756527448415567050244155","248282781846124124892998591196225050092","186463304814804592875391125259939550989","78046434226596595915097605772261604387","106831605062502963455075920510680873813","177174941729083835361223288250332912916","36845927603836903077346897458382264477","166358367031841690424108727429141437387","242874020948122927559290614323949753523","182332632632781213139028756428184079032","248116527722943252283752275548762343320","187302069444600835605479567796184876440","63193489760933081091667835079556342197","70903549810169373337370957317399072732","287054059610941266093125878961262692970","129845873133191568953762808756726623819","192949726594344925260897905966374748305","29759759588795143611068574008286110262","333555313393238712091570840098623705154","275158411482825645527843211917488113315","167720075858659256732881804339397333372","205902425903415360724186242451849063514","247169333687966575483923179990995444077","97408840952290038204860707048139270898","237938949970308812725196224369502533363","208127112071029664890800528600570334250","85020270651346562667816460986010768909","300571512654863522182820932214511807067","327637700692032099504245926383636385065","205325363407784228426987383916305428743","326705624405673617491715203248881513224","155560678888687617551492776598446624547","282618360266967336500669088203821671184","122828978841391632589289460797260255265","205348243970558946997998732074545329166","6825112074509061086019510677574037767","66248155285419425029817881918285021593","123991380326168615317409051066714529063","298239060112381811784664984001488945901","258421734988650581639697698232703657837","10039025578362999877079107379489462536","25090630230439398750840307312943732718","304119339385757645694887278820199768718","332541348538714314374599821534571427172","146380466341891811037367824173449252633"],"threshold":0.9},"target":{"file":"fs/aio.c"},"signature_version":"v1","deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/50252e4b5e98"},{"id":"ASB-A-185125206-80031aaf","digest":{"line_hashes":["248044228784431710153433944130072156452","128223112585543820893114641938467064627","153749886573398998820843494508881553561","22690399545950407354229332458077302347","306699035265393185700572334728025254122","229424086816602809388033835002640591616","180390852260809398112002006953101936720"],"threshold":0.9},"target":{"file":"include/linux/wait.h"},"signature_version":"v1","deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/42288cb44c4b"},{"id":"ASB-A-185125206-91297e96","digest":{"length":349,"function_hash":"33875190150141856899195094898248023279"},"target":{"function":"aio_poll_queue_proc","file":"fs/aio.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/50252e4b5e98"},{"id":"ASB-A-185125206-92d59e33","digest":{"length":1475,"function_hash":"49635016545928884911889530557603545332"},"target":{"function":"aio_poll","file":"fs/aio.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/363bee27e258"},{"id":"ASB-A-185125206-b28deb9b","digest":{"length":842,"function_hash":"326172184915394308963536867978640660186"},"target":{"function":"aio_poll_wake","file":"fs/aio.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/363bee27e258"},{"id":"ASB-A-185125206-c5fd2ecd","digest":{"length":955,"function_hash":"245784321786892804612135879357266730768"},"target":{"function":"aio_poll_wake","file":"fs/aio.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/50252e4b5e98"},{"id":"ASB-A-185125206-c9d43168","digest":{"length":165,"function_hash":"67572656327009579849403738774370743895"},"target":{"function":"signalfd_cleanup","file":"fs/signalfd.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/9537bae0da1f"},{"id":"ASB-A-185125206-ce0ef043","digest":{"line_hashes":["6941564317409617241089301594041543066","103351782056066674868874000229765707665","242638744609477601361387452345239079513","104002201304374990143959956298713995237","155709114170001778938443745411622160518","165275952724234069055488766353876295993","223533195947044949568486434514866187418","170344438694221706773366560627056654553","58806335242093387451323277556818170556","149717994431064302113126109537802459996","89175490121041634805927368757403148807","121233759456881794857575498078045582016","327676449199616417191783098260484449701","160955319403040054488940436535284034912","307939597315885307025429890389099870214","84110454996824458324427339789187308044","118654329723819124096270005656372436219","324689238848297063015777098420792354839","315703366456570174492565925613244232873","88782392931738685003734547417375780446","141244285935212872411284830141365674146","106596573705925942568344023002016642305","87229697125214511538518040477418418214","316003180211049317472872701371300402513","98899605980317458502504177050771392521","240577467432155699276082566261740799725","222669914081868428049310264739663645406","260429928717406674064072784393885412128","334551937006511525366394197467391651410","65375094132789678229925744913460230445","178528379366289195136358992747951081432","134634952871901940891344612520726121192","3805669452103208131664862255485467362","262686834902082563054083695832896511832","292485236483489988838386760843029912520","329574738545635001704130590541270729693","149047243794022697069560203129028530432","189669329956648214027911091645368706385","268310562268409619667739698695719014325","304442530069388223404256162984765164392","287584298307609544445039229949011506056","274581115645612159067920208853686515215","78955842661876826320250552059472020392","259997418578704740287824252486730568360","266265402738631992599040286379184175345","275003481178102214273037433308523926723","172492287899119440591989763466426208927","159393208319222824141300797434108679477","291337195123320697156730133317074768933","336601227695372073629019615297439158270","170287421870503459413919181986206239668","97244153192675645733027910494675197539","244306224199654148106752181544230754183","166712329193458721216569090958515601800","135026332397967437351268850093575256590"],"threshold":0.9},"target":{"file":"fs/aio.c"},"signature_version":"v1","deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/363bee27e258"},{"id":"ASB-A-185125206-dacd920b","digest":{"length":698,"function_hash":"174556425550256220239215856749256710223"},"target":{"function":"aio_poll_complete_work","file":"fs/aio.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/363bee27e258"},{"id":"ASB-A-185125206-e8972c8a","digest":{"line_hashes":["107998276079783001560844285598274983478","303679336613066718090978924244022024947","77240607771191724348802695810025159465","95425074598750498860095129409189991462","327767320933458985763007091995827377743","50620416591739968315417010815095164813","264697154270533208543446285898729027903"],"threshold":0.9},"target":{"file":"fs/signalfd.c"},"signature_version":"v1","deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/9537bae0da1f"},{"id":"ASB-A-185125206-ea1b8eb2","digest":{"line_hashes":["104435129767682935149922247510491348651","79313610870683105727185858739577697767","115497647094408139906756067202732125743","68506375173070114133035649734088381462","154281057069382998527672662923195835784","116706163922744684489758722233403851718","309189070414507316548009017626054566040","291746325821478733969995376520338372989"],"threshold":0.9},"target":{"file":"drivers/android/binder.c"},"signature_version":"v1","deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/a880b28a71e3"},{"id":"ASB-A-185125206-eca44afc","digest":{"length":924,"function_hash":"214299788738922068342006788671229554664"},"target":{"function":"aio_poll_complete_work","file":"fs/aio.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/50252e4b5e98"},{"id":"ASB-A-185125206-f56e7593","digest":{"line_hashes":["99222207583294815325669404191353885718","221371168808624593900345926208085843315","268767183069683726538618246351402780418"],"threshold":0.9},"target":{"file":"kernel/sched/wait.c"},"signature_version":"v1","deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/42288cb44c4b"}],"severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-185125206.json"}}],"schema_version":"1.7.5"}