{"id":"ASB-A-275041864","details":"In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-275041864","CVE-2023-21255"],"modified":"2026-03-11T06:28:53.711353Z","published":"2023-07-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-07-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/1ca1130ec62d"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2023-07-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"spl":"2023-07-05","vanir_signatures":[{"id":"ASB-A-275041864-1d6cd19e","target":{"file":"drivers/android/binder.c"},"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/1ca1130ec62d","signature_type":"Line","digest":{"line_hashes":["252530102621673318231637335926479342647","87192875603400529883008250378785255420","159843565326172231007309767080003006051","51136168544716794884672869366215500033","179673804923126895675067540334846865055","150506422259491266854052407338595924401","279376322504948356637762812615004606622","228186972999333401279920280121456493948","305887402727079857180736650126702107646","40923539709221891107552011779640203180","81192290756696598409291837260332988504","262055034741351384338032470421329258447","92081050878445695771733973482925951660","310829386508172285962237967407939503545","64115575920453203466363693101421696325","333292109230336727486686548552708909414","192560114736391899275650914181802579792","98532720046620784477790178791352067211","37910882427524754886280449559625828551","263519947819166742077849170822022642265","299748562350714225964294965988860959464","17475403224302800134938502453952523914","152169479100245268169514822601509725096","190681293642304026710783929617918540100","109755974159534571600599633204475863410","12729838988437282039661691163486572406","70011498989022892104521938610654535583","235463455810039749781411056914898646558","91033220132228591031135005506605760636"],"threshold":0.9}},{"id":"ASB-A-275041864-42b77ec3","target":{"file":"drivers/android/binder.c","function":"binder_free_buf"},"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/1ca1130ec62d","signature_type":"Function","digest":{"length":746,"function_hash":"19363558258063083983609037154046116417"}},{"id":"ASB-A-275041864-9b39f865","target":{"file":"drivers/android/binder.c","function":"binder_proc_transaction"},"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/1ca1130ec62d","signature_type":"Function","digest":{"length":1829,"function_hash":"202011936234455134374258078814169708467"}},{"id":"ASB-A-275041864-fc175b07","target":{"file":"drivers/android/binder.c","function":"binder_transaction_buffer_release"},"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/1ca1130ec62d","signature_type":"Function","digest":{"length":3241,"function_hash":"99493580659905654752352877261084134034"}}],"types":["EoP"],"fixes":["https://android.googlesource.com/kernel/common/+/1ca1130ec62d"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-275041864.json"}}],"schema_version":"1.7.5"}