{"id":"PUB-A-190011721","details":"In retrieve_ptr_limit and related functions of verifier.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-190011721","CVE-2021-33200"],"modified":"2026-03-11T06:34:28.822985Z","published":"2021-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2021-12-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/4e2c7b297431"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/c87ef240a8bb"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/27acfd11ba17"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2021-12-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"vanir_signatures":[{"id":"PUB-A-190011721-06da4639","source":"https://android.googlesource.com/kernel/common/+/4e2c7b297431","target":{"function":"adjust_ptr_min_max_vals","file":"kernel/bpf/verifier.c"},"digest":{"length":4765,"function_hash":"280925786661479790060625219488333451145"},"signature_version":"v1","signature_type":"Function","deprecated":false},{"id":"PUB-A-190011721-0f162e85","source":"https://android.googlesource.com/kernel/common/+/4e2c7b297431","target":{"file":"kernel/bpf/verifier.c"},"digest":{"threshold":0.9,"line_hashes":["262039529909060196131840256906024236091","270188737281727892283613521542930633652","202666486935702327703733695467908503678","206109830977063295313481655814501734546","292486978687385929434937330953248332427","328639218135929486931504967438055463412","62868870917074497638268689937442447168","320310744290047615038558848755583454387","261457560931777040427055367791851611644","68582937390981047386786096394346336561","262129148996771020818048131033824065966","112351779731652824777136638711725917188","190261737873874972819381169079371674881","303706700695040886962027604386566828839","10389472930954564919343417650301357378","3865584324248217866683036343101457061","58441117975608874748647369726117887541","79415134364014076933211547464204217671","317311942449228392442899622207029611134","135760675079791313916564915763451899558","32902188230975282252255827147040916814","204870489292401244044936037152747646290","25504007323729439322956106711636630733","172381262836319009699659302504928370105","136782001053866556956108588732434675271","10245136483796299734482042581954248075","322126300342519691672201230491836247048","108686124283852224623903031889849749709","202818059168461138909902828253571242458"]},"signature_version":"v1","signature_type":"Line","deprecated":false},{"id":"PUB-A-190011721-23b47069","source":"https://android.googlesource.com/kernel/common/+/c87ef240a8bb","target":{"function":"sanitize_ptr_alu","file":"kernel/bpf/verifier.c"},"digest":{"length":1148,"function_hash":"246957723678091566589130391708730684184"},"signature_version":"v1","signature_type":"Function","deprecated":false},{"id":"PUB-A-190011721-81499f5a","source":"https://android.googlesource.com/kernel/common/+/c87ef240a8bb","target":{"function":"retrieve_ptr_limit","file":"kernel/bpf/verifier.c"},"digest":{"length":747,"function_hash":"6241484433920322589546792130090738769"},"signature_version":"v1","signature_type":"Function","deprecated":false},{"id":"PUB-A-190011721-951b2ab4","source":"https://android.googlesource.com/kernel/common/+/27acfd11ba17","target":{"file":"kernel/bpf/verifier.c"},"digest":{"threshold":0.9,"line_hashes":["47427510771680019310194127933122136096","319713665651579424303318085355357056722","240756402307389634250126952816184534541","207370627333112601712375871791117294648"]},"signature_version":"v1","signature_type":"Line","deprecated":false},{"id":"PUB-A-190011721-97ef0e8e","source":"https://android.googlesource.com/kernel/common/+/4e2c7b297431","target":{"function":"sanitize_ptr_alu","file":"kernel/bpf/verifier.c"},"digest":{"length":1127,"function_hash":"187212921763892443154419825529662340918"},"signature_version":"v1","signature_type":"Function","deprecated":false},{"id":"PUB-A-190011721-a841515f","source":"https://android.googlesource.com/kernel/common/+/27acfd11ba17","target":{"function":"sanitize_ptr_alu","file":"kernel/bpf/verifier.c"},"digest":{"length":1384,"function_hash":"190812588988046212309368991988796455796"},"signature_version":"v1","signature_type":"Function","deprecated":false},{"id":"PUB-A-190011721-ae02bd93","source":"https://android.googlesource.com/kernel/common/+/c87ef240a8bb","target":{"file":"kernel/bpf/verifier.c"},"digest":{"threshold":0.9,"line_hashes":["3973112015353895427797486632497507088","109492799880415627359173180119756358953","151263697241877261312355100598146786640","227558448847777301654952269804132204619","48422950799149764877750188752617729560","322566115669594912920201594012322327461","39918092637745787937094710157800133725","27974248861366183145253296694337357657","278672871784064751746473846623304960395","10984009763167534490828174999891896918","36147004044395911372441237840665215257","273077193668393981112346615424261606026","89522239158795419087619746193143309496","57296124109740312822760439108636120772","39464320438896685214166384935106519725","271371438596389649210494411959216830846","160026756588115414011880114991878292752","4154023463872514507109786054285824972","84049923922650422497478016294474054196","225208778956210412871068268981562215833","288492177735258700518958040474273244828"]},"signature_version":"v1","signature_type":"Line","deprecated":false}],"types":["EoP"],"severity":"Moderate","spl":"2021-12-05","fixes":["https://android.googlesource.com/kernel/common/+/4e2c7b297431","https://android.googlesource.com/kernel/common/+/c87ef240a8bb","https://android.googlesource.com/kernel/common/+/27acfd11ba17"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/PUB-A-190011721.json"}}],"schema_version":"1.7.5"}