{"id":"PUB-A-191191823","details":"In xfrm_state_fini and related functions of xfrm_state.c and related files, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-191191823","CVE-2019-25045"],"modified":"2026-03-11T06:34:32.637919Z","published":"2021-10-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2021-10-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2021-10-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"],"vanir_signatures":[{"target":{"file":"include/net/xfrm.h"},"signature_version":"v1","id":"PUB-A-191191823-19b36eff","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["243161038827417096249117573138058777384","2533267672426962681489286755455487889","332694360237361977395182802341411362187"]},"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"},{"target":{"function":"xfrm6_tunnel_net_exit","file":"net/ipv6/xfrm6_tunnel.c"},"signature_version":"v1","id":"PUB-A-191191823-a4aa4dff","signature_type":"Function","digest":{"length":408,"function_hash":"6852462641908386585231461938522555527"},"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"},{"target":{"file":"net/xfrm/xfrm_user.c"},"signature_version":"v1","id":"PUB-A-191191823-bbefcf37","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["229523491602531160254065325555422879319","197281378742686019844393500848894072709","228849362016189875298579074914545463885","123416886296457462454909832722580561112","109660003496568191125696794790970104126","138362605100217816335591702430092581019","283486307793756631151039538623233244132","168437063971864032226983419579197506024","109903552203742180102891192853726083337","218783971530653667576326592185539146816","61905635418335728281139742996708078973","64956988977403150703103618655309563032","10159363312468416494411373139083858061","230854622574928264560172461107740349273","242175030523505564915220495847088454605","267868390585593816517915983992887850017"]},"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"},{"target":{"function":"validate_tmpl","file":"net/xfrm/xfrm_user.c"},"signature_version":"v1","id":"PUB-A-191191823-bfb85366","signature_type":"Function","digest":{"length":919,"function_hash":"258793581796817467857631674352932460528"},"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"},{"target":{"function":"xfrm_state_fini","file":"net/xfrm/xfrm_state.c"},"signature_version":"v1","id":"PUB-A-191191823-c7e2f3e7","signature_type":"Function","digest":{"length":638,"function_hash":"159688494881237414820018288092704824487"},"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"},{"target":{"file":"net/ipv6/xfrm6_tunnel.c"},"signature_version":"v1","id":"PUB-A-191191823-daa424a1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["334119904790110196879810912817670783742","307855993762072398891459568333205928644","210678993606077500116061939022504978348","329715576545611587226342160905857423912"]},"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"},{"target":{"file":"net/key/af_key.c"},"signature_version":"v1","id":"PUB-A-191191823-e3dda7a6","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["139829487342025565876134762685900894426","208878218324934034428961596748072993814","214525917770506738197174906734251663048","178983729390585286081504476329595606588","52889798868292353760802554894756158332"]},"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"},{"target":{"function":"parse_ipsecrequest","file":"net/key/af_key.c"},"signature_version":"v1","id":"PUB-A-191191823-f6cce137","signature_type":"Function","digest":{"length":1141,"function_hash":"322891837955063607216551630497528273955"},"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"},{"target":{"file":"net/xfrm/xfrm_state.c"},"signature_version":"v1","id":"PUB-A-191191823-fd212021","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["290396018789963347844672641138512346602","274682750171497662749304830912080441716","162785980661114099367108606951023614806","318860455114264030518797770141199847702"]},"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"}],"severity":"Moderate","spl":"2021-10-05","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/PUB-A-191191823.json"}}],"schema_version":"1.7.5"}