{"id":"ASB-A-208277166","details":"In ion_ioctl of ion-ioctl.c, there is a possible way to leak kernel head data due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-208277166","CVE-2021-39800"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2022-04-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-04-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/c47385c73fced"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2022-04-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"spl":"2022-04-05","types":["ID"],"fixes":["https://android.googlesource.com/kernel/common/+/504e1d6ee65d5","https://android.googlesource.com/kernel/common/+/a8200613c8c9f","https://android.googlesource.com/kernel/common/+/c47385c73fced"],"vanir_signatures":[{"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["151033958707289077932689979513354046405","216635458604075882410516048667531317036","302664414490971408997864319493595674834","221739946267379680246427709751205225781","225733980763646134140239715297400349801","205573501524462817502913143586070984544","222786911308159080010190805770024787004","208672130430734485746797742826257922828","11610389113332808972779191315566787485","5735080047482657032000385699806553598","310462665825707919787718418861642143950","103008139145088230189557335111397720498","80106757133994343482217215752005749377","251421797600579815286384243614451403060","54690302684252438497159593156613049562"],"threshold":0.9},"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/c47385c73fced","target":{"file":"drivers/staging/android/ion/ion-ioctl.c"},"id":"ASB-A-208277166-003f29a7"},{"signature_version":"v1","id":"ASB-A-208277166-00476d3e","digest":{"length":165,"function_hash":"257640874776738313320362658483379389384"},"source":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f","signature_type":"Function","target":{"file":"drivers/staging/android/ion/ion.c","function":"ion_handle_validate"},"deprecated":false},{"signature_version":"v1","id":"ASB-A-208277166-3941d19a","digest":{"length":997,"function_hash":"194396682045491494479867707450503354625"},"source":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5","signature_type":"Function","target":{"file":"drivers/staging/android/ion/ion.c","function":"ion_alloc"},"deprecated":false},{"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["115316621478917446111076648487400790093","213608249474176736864228350980329419459","161788460852369129312235424821745585785","135617328054686189623692053771021851855","165406810494529109394699560786033572828"],"threshold":0.9},"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f","target":{"file":"drivers/staging/android/ion/ion.c"},"id":"ASB-A-208277166-5d8783ef"},{"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["169032866111039584027050290384993199818","45260048469060672154123496409544231969","109798341365019266796925823364778754703","23492863868278338197414794809765120393","135575277495845586430922187484187761214","14159644319171079361058387496568664809","49565967641699121164462378510102989089","205007637486206190812880135691145173827","286456444278515149960324215844959712534","335328932922453855797786703943064981072","117846597220734447697643058427326609179","298768025420993361783823801269014974710","139022679760657808204069842830364986076","103008139145088230189557335111397720498","97784340856823063467455758773913511647","54601529414435026616427798900040392104","295049293083888451023542091012574865351","154518143699404748536457234681962189006","47616660811352131265273323140432238849","312712170788142948634017861087406518434","162312064554073253917769600024249479953","49876865655404111109909385162452499600"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f","signature_type":"Line","target":{"file":"drivers/staging/android/ion/ion-ioctl.c"},"id":"ASB-A-208277166-6dcf5156"},{"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["72030289616729065893074888938306378018","203828467542625958953853030784127242982","221106329187612027717753517310982106318"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5","signature_type":"Line","target":{"file":"drivers/staging/android/ion/ion.h"},"id":"ASB-A-208277166-87a7046c"},{"signature_version":"v1","deprecated":false,"digest":{"length":2254,"function_hash":"199726031936338387520154907803516144643"},"source":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f","signature_type":"Function","target":{"file":"drivers/staging/android/ion/ion-ioctl.c","function":"ion_ioctl"},"id":"ASB-A-208277166-b90567aa"},{"signature_version":"v1","id":"ASB-A-208277166-db0ef49e","digest":{"line_hashes":["252964648987737316041003505877199307967","286306285580761724214672628370304881257","272996489787136708497938920513206387268","124501695248120607727793710911504574049","273315269955682704448441174283122383550","124986485248968300642481103801406421945","301357216895032312203679321575057657646"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f","signature_type":"Line","target":{"file":"drivers/staging/android/ion/ion_priv.h"},"deprecated":false},{"signature_version":"v1","deprecated":false,"digest":{"length":2418,"function_hash":"193762571505050839149557422263497255083"},"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/c47385c73fced","target":{"file":"drivers/staging/android/ion/ion-ioctl.c","function":"ion_ioctl"},"id":"ASB-A-208277166-ef5cf0ba"},{"signature_version":"v1","deprecated":false,"digest":{"length":2194,"function_hash":"167391083008459275423407210704065747708"},"source":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5","signature_type":"Function","target":{"file":"drivers/staging/android/ion/ion-ioctl.c","function":"ion_ioctl"},"id":"ASB-A-208277166-f654ae31"},{"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["234169670576267102804229620753238111498","325437771204467165614668530822809638663","244605751180689327088290003111144478609","148326263044794487929845218259641970817","123880761713220177931956264222623010877","237930637910431024811205228433767112225","41428011087008769976365949201988140769","198311571423132510927805749041089391906","244207441712928132596878135121434199488","215253039158303253160431955927876565085","182196715250716146213728330906729209937","248250597680557493742077190509874551952","278253701601950672219683139226723151853","201541717412904143452260414197344225132"],"threshold":0.9},"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5","target":{"file":"drivers/staging/android/ion/ion-ioctl.c"},"id":"ASB-A-208277166-f76d470b"},{"signature_version":"v1","id":"ASB-A-208277166-fee44e35","digest":{"line_hashes":["257737927408165704806799185401347417491","244198503613174304217601679170999417096","289109822885074938276036798598302941116","302902507409333248070956712292208314863","317191527901081197482347274890779005232","320877193886064486212943847598354552050","93929187523131189838550234545780551614","165027308652524208329242819120042559829","322321429631813108620020529978070545106","209613764484524100735470668749321669392","157952586831566872996180551778066034841","32610049557441676041268696173107650180","200751683175214098855700849041843731504","195568203124863052195549374361046822207"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5","signature_type":"Line","target":{"file":"drivers/staging/android/ion/ion.c"},"deprecated":false}],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-208277166.json"}}],"schema_version":"1.7.5"}