{"id":"ASB-A-197868577","details":"In osi_malloc and osi_calloc of allocator.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-197868577","CVE-2021-0968"],"modified":"2026-04-22T14:59:17.843400Z","published":"2021-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2021-12-01"}],"affected":[{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"9:0"},{"fixed":"9:2021-12-01"}]}],"versions":["9"],"ecosystem_specific":{"types":["RCE"],"severity":"Critical","spl":"2021-12-01","fixes":["https://android.googlesource.com/platform/system/bt/+/cee4d086c959e174328a0e173398d99f59ccbb1f"],"vanir_signatures":[{"id":"ASB-A-197868577-2e3c1304","source":"https://android.googlesource.com/platform/system/bt/+/cee4d086c959e174328a0e173398d99f59ccbb1f","signature_version":"v1","target":{"function":"osi_calloc","file":"osi/src/allocator.cc"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"133515069060463300907966626649197431077","length":180}},{"id":"ASB-A-197868577-37f71231","source":"https://android.googlesource.com/platform/system/bt/+/cee4d086c959e174328a0e173398d99f59ccbb1f","signature_version":"v1","target":{"function":"osi_malloc","file":"osi/src/allocator.cc"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"117538921863687452573602227384761554202","length":176}},{"id":"ASB-A-197868577-7a3c9ba8","source":"https://android.googlesource.com/platform/system/bt/+/cee4d086c959e174328a0e173398d99f59ccbb1f","signature_version":"v1","target":{"file":"osi/src/allocator.cc"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["202646545228519606468605655560141210094","272342536816153109009821619670548510412","140660819875019453777698067336487926622","90577778521919955422444438216599194331","318145221288325454207691524196237343651","118114027170040244437591581732054233909","266839983093794151707598956899575249286","166390355539842863750748059879262597292"]}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-197868577.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2021-12-01"}]}],"versions":["10"],"ecosystem_specific":{"types":["RCE"],"severity":"Critical","spl":"2021-12-01","fixes":["https://android.googlesource.com/platform/system/bt/+/1e76ec66d8ad19f94a4e253db040d6983c6b830e"],"vanir_signatures":[{"id":"ASB-A-197868577-189e24b2","source":"https://android.googlesource.com/platform/system/bt/+/1e76ec66d8ad19f94a4e253db040d6983c6b830e","signature_version":"v1","target":{"function":"osi_calloc","file":"osi/src/allocator.cc"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"133515069060463300907966626649197431077","length":180}},{"id":"ASB-A-197868577-982e1563","source":"https://android.googlesource.com/platform/system/bt/+/1e76ec66d8ad19f94a4e253db040d6983c6b830e","signature_version":"v1","target":{"function":"osi_malloc","file":"osi/src/allocator.cc"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"117538921863687452573602227384761554202","length":176}},{"id":"ASB-A-197868577-af3cde8b","source":"https://android.googlesource.com/platform/system/bt/+/1e76ec66d8ad19f94a4e253db040d6983c6b830e","signature_version":"v1","target":{"file":"osi/src/allocator.cc"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["202646545228519606468605655560141210094","272342536816153109009821619670548510412","140660819875019453777698067336487926622","90577778521919955422444438216599194331","318145221288325454207691524196237343651","118114027170040244437591581732054233909","266839983093794151707598956899575249286","166390355539842863750748059879262597292"]}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-197868577.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2021-12-01"}]}],"versions":["11"],"ecosystem_specific":{"types":["RCE"],"severity":"Critical","spl":"2021-12-01","fixes":["https://android.googlesource.com/platform/system/bt/+/e435404a7d2afa6b4cb9a59319667bf72af4df1f"],"vanir_signatures":[{"id":"ASB-A-197868577-5c67fb4a","source":"https://android.googlesource.com/platform/system/bt/+/e435404a7d2afa6b4cb9a59319667bf72af4df1f","signature_version":"v1","target":{"function":"osi_calloc","file":"osi/src/allocator.cc"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"133515069060463300907966626649197431077","length":180}},{"id":"ASB-A-197868577-91d9fc83","source":"https://android.googlesource.com/platform/system/bt/+/e435404a7d2afa6b4cb9a59319667bf72af4df1f","signature_version":"v1","target":{"file":"osi/src/allocator.cc"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["202646545228519606468605655560141210094","272342536816153109009821619670548510412","140660819875019453777698067336487926622","90577778521919955422444438216599194331","318145221288325454207691524196237343651","118114027170040244437591581732054233909","266839983093794151707598956899575249286","166390355539842863750748059879262597292"]}},{"id":"ASB-A-197868577-fdad8b17","source":"https://android.googlesource.com/platform/system/bt/+/e435404a7d2afa6b4cb9a59319667bf72af4df1f","signature_version":"v1","target":{"function":"osi_malloc","file":"osi/src/allocator.cc"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"117538921863687452573602227384761554202","length":176}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-197868577.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2021-12-01"}]}],"versions":["12"],"ecosystem_specific":{"types":["RCE"],"severity":"Critical","spl":"2021-12-01","fixes":["https://android.googlesource.com/platform/system/bt/+/a1184057b275eb91857977663fe05016df67b3c5"],"vanir_signatures":[{"id":"ASB-A-197868577-0ad5617f","source":"https://android.googlesource.com/platform/system/bt/+/a1184057b275eb91857977663fe05016df67b3c5","signature_version":"v1","target":{"function":"osi_calloc","file":"osi/src/allocator.cc"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"133515069060463300907966626649197431077","length":180}},{"id":"ASB-A-197868577-94a8a3f4","source":"https://android.googlesource.com/platform/system/bt/+/a1184057b275eb91857977663fe05016df67b3c5","signature_version":"v1","target":{"function":"osi_malloc","file":"osi/src/allocator.cc"},"signature_type":"Function","deprecated":false,"digest":{"function_hash":"117538921863687452573602227384761554202","length":176}},{"id":"ASB-A-197868577-b52b98e5","source":"https://android.googlesource.com/platform/system/bt/+/a1184057b275eb91857977663fe05016df67b3c5","signature_version":"v1","target":{"file":"osi/src/allocator.cc"},"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["202646545228519606468605655560141210094","272342536816153109009821619670548510412","140660819875019453777698067336487926622","90577778521919955422444438216599194331","318145221288325454207691524196237343651","118114027170040244437591581732054233909","266839983093794151707598956899575249286","166390355539842863750748059879262597292"]}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-197868577.json"}}],"schema_version":"1.7.5"}