{"id":"ASB-A-239842288","details":"In rndis_set_response of rndis.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious USB device is attached with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-239842288","CVE-2022-20423"],"modified":"2026-03-11T06:18:04.475397Z","published":"2022-10-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-10-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/0a21a3eb9fcea0609f3bc8bee1f796788e0a770e"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/28bc0267399f4"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2022-10-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"spl":"2022-10-05","types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/kernel/common/+/0a21a3eb9fcea0609f3bc8bee1f796788e0a770e","https://android.googlesource.com/kernel/common/+/28bc0267399f4"],"vanir_signatures":[{"target":{"file":"drivers/usb/gadget/function/rndis.c","function":"rndis_set_response"},"digest":{"length":1113,"function_hash":"324509543485242453198264164088682879174"},"deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/0a21a3eb9fcea0609f3bc8bee1f796788e0a770e","id":"ASB-A-239842288-03ac93ad","signature_version":"v1"},{"target":{"file":"drivers/usb/gadget/function/rndis.c"},"digest":{"line_hashes":["74610532842214861125328212539619698848","219320814454438370276643923899985203310","235029350871556551678875653730524412287","220013837063397485624450100683511902294"],"threshold":0.9},"deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/28bc0267399f4","id":"ASB-A-239842288-1570ac21","signature_version":"v1"},{"target":{"file":"drivers/usb/gadget/function/rndis.c","function":"rndis_set_response"},"digest":{"length":1113,"function_hash":"324509543485242453198264164088682879174"},"deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/28bc0267399f4","id":"ASB-A-239842288-91ac53f0","signature_version":"v1"},{"target":{"file":"drivers/usb/gadget/function/rndis.c"},"digest":{"line_hashes":["74610532842214861125328212539619698848","219320814454438370276643923899985203310","235029350871556551678875653730524412287","220013837063397485624450100683511902294"],"threshold":0.9},"deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/0a21a3eb9fcea0609f3bc8bee1f796788e0a770e","id":"ASB-A-239842288-e44fcac5","signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-239842288.json"}}],"schema_version":"1.7.5"}