{"id":"ASB-A-210292376","details":"In various setup methods of the USB gadget subsystem, there is a possible out of bounds write due to an incorrect flag check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-210292376","CVE-2021-39685"],"modified":"2026-03-11T06:18:43.420481Z","published":"2022-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-03-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/53afb231f54a69d827b882fa282b30bb10cb08a5"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2022-03-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","https://android.googlesource.com/kernel/common/+/53afb231f54a69d827b882fa282b30bb10cb08a5","https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88"],"severity":"High","spl":"2022-03-05","vanir_signatures":[{"deprecated":false,"target":{"file":"drivers/usb/gadget/legacy/inode.c","function":"gadgetfs_setup","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","signature_type":"Function","signature_version":"v1","id":"ASB-A-210292376-07c28504","digest":{"length":3917,"function_hash":"51759867175630936810844205975104072139"}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/composite.c","function":"composite_setup","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","signature_type":"Function","signature_version":"v1","id":"ASB-A-210292376-10c06503","digest":{"length":8448,"function_hash":"5478919993484057482267054353714439302"}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/legacy/dbgp.c","function":"dbgp_setup","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","signature_type":"Function","signature_version":"v1","id":"ASB-A-210292376-15653578","digest":{"length":1621,"function_hash":"93752368828605204984022412487897098288"}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/composite.c","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","signature_type":"Line","signature_version":"v1","id":"ASB-A-210292376-23d2e7a8","digest":{"threshold":0.9,"line_hashes":["132148347048279419280812656841126240180","338407080313961553039665632921969748325","30319679445911400763643158899393296638","23529657258676302058030637143664411757","232491551941646124643748727117521007993","57219422123411163541532791633072929079","328093589067149246509546984881844954464","192871118795807847659645640117966101676","212530147027068052741102169768699200053"]}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/legacy/dbgp.c","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/53afb231f54a69d827b882fa282b30bb10cb08a5","signature_type":"Line","signature_version":"v1","id":"ASB-A-210292376-3732d93f","digest":{"threshold":0.9,"line_hashes":["44388756161188325535624964539810122580","300636872095149243812570197716301505112","265144746910665567402077785482016730384","209658912545017139654451643257511707256"]}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/legacy/inode.c","function":"gadgetfs_setup","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","signature_type":"Function","signature_version":"v1","id":"ASB-A-210292376-39657ba2","digest":{"length":4122,"function_hash":"105913675375561089862977033170352909625"}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/legacy/dbgp.c","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","signature_type":"Line","signature_version":"v1","id":"ASB-A-210292376-49cbc5e1","digest":{"threshold":0.9,"line_hashes":["154577222357527416269986822795562249155","325717861012887528918453907485411867611","103512566246965709614821552541975923097","60644498906439300369322499150066009106","280716830574389440697189285742828817462","9411139164172316746675297255598101509","90436117819536085136593498132603310723","131806679178559178436516274321088569118","16955264570490424115730333352803763280"]}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/legacy/inode.c","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","signature_type":"Line","signature_version":"v1","id":"ASB-A-210292376-50988772","digest":{"threshold":0.9,"line_hashes":["294771366740492330844059928101261168882","329472988511519008266114862851615948738","230055354007917815238754878125146233726","241615109029172640209368064780730838459","64969316027898508467714672781279523538","30332420178214091468338430140846186405","255997175657941735343107809281305721211","128343364494571164832515145964696539800","192991251693947936407784405714326144362","63161658648569397665050629489358928343"]}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/composite.c","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/53afb231f54a69d827b882fa282b30bb10cb08a5","signature_type":"Line","signature_version":"v1","id":"ASB-A-210292376-74c756f2","digest":{"threshold":0.9,"line_hashes":["143355955488074582918923422113678678741","158622893703874087713169325837116412141","297775984847593364130718939583473816625","271682105717194122968248441977048350079"]}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/composite.c","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","signature_type":"Line","signature_version":"v1","id":"ASB-A-210292376-815b9cfe","digest":{"threshold":0.9,"line_hashes":["332656553028460648197238486507283164994","184822845197430248537449464647837682435","24535556639354158768388367629306163538"]}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/legacy/dbgp.c","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","signature_type":"Line","signature_version":"v1","id":"ASB-A-210292376-a6d5cb50","digest":{"threshold":0.9,"line_hashes":["220786696602669738420112968039916400508","58419054149626582732950653854970518386","58319612690254011723664119190774671516"]}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/legacy/inode.c","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","signature_type":"Line","signature_version":"v1","id":"ASB-A-210292376-b8629c30","digest":{"threshold":0.9,"line_hashes":["168277062198575889714986975878996299946","159910597357020912291532397137645290576","174943010202927998149349872012672394311","152872091973965522016408549605659888007","268975379940599946310143948958215003762","253428316892486559519603479463959125254","141788946652623718247459303476047175349","323168905024258372889636080819264832317","252842714006000820472903548430965511964"]}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/composite.c","function":"composite_setup","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","signature_type":"Function","signature_version":"v1","id":"ASB-A-210292376-ba3b28b2","digest":{"length":9168,"function_hash":"262748161316401576846558063530053601345"}},{"deprecated":false,"target":{"file":"drivers/usb/gadget/legacy/dbgp.c","function":"dbgp_setup","truncated_path_level":1},"source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","signature_type":"Function","signature_version":"v1","id":"ASB-A-210292376-d55f671b","digest":{"length":1417,"function_hash":"211557554950156766019146613511635348846"}}],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-210292376.json"}}],"schema_version":"1.7.5"}