{"id":"CVE-2021-46935","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix async_free_space accounting for empty parcels\n\nIn 4.13, commit 74310e06be4d (\"android: binder: Move buffer out of area shared with user space\")\nfixed a kernel structure visibility issue. As part of that patch,\nsizeof(void *) was used as the buffer size for 0-length data payloads so\nthe driver could detect abusive clients sending 0-length asynchronous\ntransactions to a server by enforcing limits on async_free_size.\n\nUnfortunately, on the \"free\" side, the accounting of async_free_space\ndid not add the sizeof(void *) back. The result was that up to 8-bytes of\nasync_free_space were leaked on every async transaction of 8-bytes or\nless.  These small transactions are uncommon, so this accounting issue\nhas gone undetected for several years.\n\nThe fix is to use \"buffer_size\" (the allocated buffer size) instead of\n\"size\" (the logical buffer size) when updating the async_free_space\nduring the free operation. These are the same except for this\ncorner case of asynchronous transactions with payloads \u003c 8 bytes.","modified":"2026-03-13T05:19:21.967281Z","published":"2024-02-27T10:15:07.957Z","references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff"},{"type":"FIX","url":"https://git.kernel.org/stable/c/1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4"},{"type":"FIX","url":"https://git.kernel.org/stable/c/2d2df539d05205fd83c404d5f2dff48d36f9b495"},{"type":"FIX","url":"https://git.kernel.org/stable/c/7c7064402609aeb6fb11be1b4ec10673ff17b593"},{"type":"FIX","url":"https://git.kernel.org/stable/c/cfd0d84ba28c18b531648c9d4a35ecca89ad9901"},{"type":"FIX","url":"https://git.kernel.org/stable/c/103b16a8c51f96d5fe063022869ea906c256e5da"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"4.14.0"},{"fixed":"4.14.261"}]},{"events":[{"introduced":"4.15.0"},{"fixed":"4.19.224"}]},{"events":[{"introduced":"4.20.0"},{"fixed":"5.4.170"}]},{"events":[{"introduced":"5.5.0"},{"fixed":"5.10.90"}]},{"events":[{"introduced":"5.11.0"},{"fixed":"5.15.13"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-46935.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}