{"id":"ASB-A-299123598","details":"In unix_stream_sendpage of af_unix.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-299123598","CVE-2023-4622"],"modified":"2026-03-11T06:29:29.096817Z","published":"2024-05-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-05-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/e6ed59127c865"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/790c2f9d15b59"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/84d3e59750bbd"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/d39fc9b94dc07"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2024-05-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"severity":"High","spl":"2024-05-05","vanir_signatures":[{"digest":{"function_hash":"74578476663412431466883751391350733343","length":2118},"source":"https://android.googlesource.com/kernel/common/+/d39fc9b94dc07","deprecated":false,"target":{"file":"net/unix/af_unix.c","function":"unix_stream_sendpage"},"signature_type":"Function","signature_version":"v1","id":"ASB-A-299123598-00d992af"},{"digest":{"threshold":0.9,"line_hashes":["248950612756612724065093709972738325357","279144108549210949441020903890615322329","16220953337162752779916020803348486468","203654826256204033757231210560604153267","260522720799231029387729392220418790987","86655572250296221835706980117084759542","322983119535394844659808779319684898409","30135840773779090171591045457747543630","291436812016123704043265508278090069461","166185117026504118168859716872522459700","30516924935334657074735959066607922916","166699174247796674368467584101246118722","175578990280298867692057496702032737660","207591957364424589282195218120637294974","152852358735968692568757231492658828030","137510011422766836065820052306096440041","241416977303368234603546312521807009668"]},"source":"https://android.googlesource.com/kernel/common/+/d39fc9b94dc07","deprecated":false,"target":{"file":"net/unix/af_unix.c"},"signature_type":"Line","signature_version":"v1","id":"ASB-A-299123598-4f5d4535"},{"digest":{"threshold":0.9,"line_hashes":["248950612756612724065093709972738325357","279144108549210949441020903890615322329","16220953337162752779916020803348486468","203654826256204033757231210560604153267","260522720799231029387729392220418790987","86655572250296221835706980117084759542","322983119535394844659808779319684898409","30135840773779090171591045457747543630","291436812016123704043265508278090069461","166185117026504118168859716872522459700","30516924935334657074735959066607922916","166699174247796674368467584101246118722","175578990280298867692057496702032737660","207591957364424589282195218120637294974","152852358735968692568757231492658828030","137510011422766836065820052306096440041","241416977303368234603546312521807009668"]},"source":"https://android.googlesource.com/kernel/common/+/84d3e59750bbd","deprecated":false,"target":{"file":"net/unix/af_unix.c"},"signature_type":"Line","signature_version":"v1","id":"ASB-A-299123598-569f3979"},{"digest":{"function_hash":"74578476663412431466883751391350733343","length":2118},"source":"https://android.googlesource.com/kernel/common/+/790c2f9d15b59","deprecated":false,"target":{"file":"net/unix/af_unix.c","function":"unix_stream_sendpage"},"signature_type":"Function","signature_version":"v1","id":"ASB-A-299123598-6c337f83"},{"digest":{"threshold":0.9,"line_hashes":["248950612756612724065093709972738325357","279144108549210949441020903890615322329","16220953337162752779916020803348486468","203654826256204033757231210560604153267","260522720799231029387729392220418790987","86655572250296221835706980117084759542","322983119535394844659808779319684898409","30135840773779090171591045457747543630","291436812016123704043265508278090069461","166185117026504118168859716872522459700","30516924935334657074735959066607922916","166699174247796674368467584101246118722","175578990280298867692057496702032737660","207591957364424589282195218120637294974","152852358735968692568757231492658828030","137510011422766836065820052306096440041","241416977303368234603546312521807009668"]},"source":"https://android.googlesource.com/kernel/common/+/790c2f9d15b59","deprecated":false,"target":{"file":"net/unix/af_unix.c"},"signature_type":"Line","signature_version":"v1","id":"ASB-A-299123598-8be56e5e"},{"digest":{"threshold":0.9,"line_hashes":["248950612756612724065093709972738325357","279144108549210949441020903890615322329","16220953337162752779916020803348486468","203654826256204033757231210560604153267","260522720799231029387729392220418790987","86655572250296221835706980117084759542","322983119535394844659808779319684898409","30135840773779090171591045457747543630","291436812016123704043265508278090069461","166185117026504118168859716872522459700","30516924935334657074735959066607922916","166699174247796674368467584101246118722","175578990280298867692057496702032737660","207591957364424589282195218120637294974","152852358735968692568757231492658828030","137510011422766836065820052306096440041","241416977303368234603546312521807009668"]},"source":"https://android.googlesource.com/kernel/common/+/e6ed59127c865","deprecated":false,"target":{"file":"net/unix/af_unix.c"},"signature_type":"Line","signature_version":"v1","id":"ASB-A-299123598-8ee8e9ea"},{"digest":{"function_hash":"74578476663412431466883751391350733343","length":2118},"source":"https://android.googlesource.com/kernel/common/+/84d3e59750bbd","deprecated":false,"target":{"file":"net/unix/af_unix.c","function":"unix_stream_sendpage"},"signature_type":"Function","signature_version":"v1","id":"ASB-A-299123598-aadcf96a"},{"digest":{"function_hash":"74578476663412431466883751391350733343","length":2118},"source":"https://android.googlesource.com/kernel/common/+/e6ed59127c865","deprecated":false,"target":{"file":"net/unix/af_unix.c","function":"unix_stream_sendpage"},"signature_type":"Function","signature_version":"v1","id":"ASB-A-299123598-f97e8ab2"}],"types":["EoP"],"fixes":["https://android.googlesource.com/kernel/common/+/e6ed59127c865","https://android.googlesource.com/kernel/common/+/790c2f9d15b59","https://android.googlesource.com/kernel/common/+/84d3e59750bbd","https://android.googlesource.com/kernel/common/+/d39fc9b94dc07"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-299123598.json"}}],"schema_version":"1.7.5"}