{"id":"ASB-A-210292376","details":"In various setup methods of the USB gadget subsystem, there is a possible out of bounds write due to an incorrect flag check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-210292376","CVE-2021-39685"],"modified":"2026-04-10T16:16:18.068628Z","published":"2022-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-03-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/53afb231f54a69d827b882fa282b30bb10cb08a5"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2022-03-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"spl":"2022-03-05","severity":"High","vanir_signatures":[{"id":"ASB-A-210292376-07c28504","source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","deprecated":false,"signature_version":"v1","digest":{"length":3917,"function_hash":"51759867175630936810844205975104072139"},"target":{"truncated_path_level":1,"file":"drivers/usb/gadget/legacy/inode.c","function":"gadgetfs_setup"},"signature_type":"Function"},{"id":"ASB-A-210292376-10c06503","source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","deprecated":false,"signature_version":"v1","digest":{"length":8448,"function_hash":"5478919993484057482267054353714439302"},"target":{"truncated_path_level":1,"file":"drivers/usb/gadget/composite.c","function":"composite_setup"},"signature_type":"Function"},{"id":"ASB-A-210292376-15653578","source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","deprecated":false,"signature_version":"v1","digest":{"length":1621,"function_hash":"93752368828605204984022412487897098288"},"target":{"truncated_path_level":1,"file":"drivers/usb/gadget/legacy/dbgp.c","function":"dbgp_setup"},"signature_type":"Function"},{"id":"ASB-A-210292376-23d2e7a8","source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["132148347048279419280812656841126240180","338407080313961553039665632921969748325","30319679445911400763643158899393296638","23529657258676302058030637143664411757","232491551941646124643748727117521007993","57219422123411163541532791633072929079","328093589067149246509546984881844954464","192871118795807847659645640117966101676","212530147027068052741102169768699200053"],"threshold":0.9},"target":{"file":"drivers/usb/gadget/composite.c","truncated_path_level":1},"signature_type":"Line"},{"id":"ASB-A-210292376-3732d93f","source":"https://android.googlesource.com/kernel/common/+/53afb231f54a69d827b882fa282b30bb10cb08a5","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["44388756161188325535624964539810122580","300636872095149243812570197716301505112","265144746910665567402077785482016730384","209658912545017139654451643257511707256"],"threshold":0.9},"target":{"file":"drivers/usb/gadget/legacy/dbgp.c","truncated_path_level":1},"signature_type":"Line"},{"id":"ASB-A-210292376-39657ba2","source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","deprecated":false,"signature_version":"v1","digest":{"length":4122,"function_hash":"105913675375561089862977033170352909625"},"target":{"truncated_path_level":1,"file":"drivers/usb/gadget/legacy/inode.c","function":"gadgetfs_setup"},"signature_type":"Function"},{"id":"ASB-A-210292376-49cbc5e1","source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["154577222357527416269986822795562249155","325717861012887528918453907485411867611","103512566246965709614821552541975923097","60644498906439300369322499150066009106","280716830574389440697189285742828817462","9411139164172316746675297255598101509","90436117819536085136593498132603310723","131806679178559178436516274321088569118","16955264570490424115730333352803763280"],"threshold":0.9},"target":{"file":"drivers/usb/gadget/legacy/dbgp.c","truncated_path_level":1},"signature_type":"Line"},{"id":"ASB-A-210292376-50988772","source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["294771366740492330844059928101261168882","329472988511519008266114862851615948738","230055354007917815238754878125146233726","241615109029172640209368064780730838459","64969316027898508467714672781279523538","30332420178214091468338430140846186405","255997175657941735343107809281305721211","128343364494571164832515145964696539800","192991251693947936407784405714326144362","63161658648569397665050629489358928343"],"threshold":0.9},"target":{"file":"drivers/usb/gadget/legacy/inode.c","truncated_path_level":1},"signature_type":"Line"},{"id":"ASB-A-210292376-74c756f2","source":"https://android.googlesource.com/kernel/common/+/53afb231f54a69d827b882fa282b30bb10cb08a5","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["143355955488074582918923422113678678741","158622893703874087713169325837116412141","297775984847593364130718939583473816625","271682105717194122968248441977048350079"],"threshold":0.9},"target":{"file":"drivers/usb/gadget/composite.c","truncated_path_level":1},"signature_type":"Line"},{"id":"ASB-A-210292376-815b9cfe","source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["332656553028460648197238486507283164994","184822845197430248537449464647837682435","24535556639354158768388367629306163538"],"threshold":0.9},"target":{"file":"drivers/usb/gadget/composite.c","truncated_path_level":1},"signature_type":"Line"},{"id":"ASB-A-210292376-a6d5cb50","source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["220786696602669738420112968039916400508","58419054149626582732950653854970518386","58319612690254011723664119190774671516"],"threshold":0.9},"target":{"file":"drivers/usb/gadget/legacy/dbgp.c","truncated_path_level":1},"signature_type":"Line"},{"id":"ASB-A-210292376-b8629c30","source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["168277062198575889714986975878996299946","159910597357020912291532397137645290576","174943010202927998149349872012672394311","152872091973965522016408549605659888007","268975379940599946310143948958215003762","253428316892486559519603479463959125254","141788946652623718247459303476047175349","323168905024258372889636080819264832317","252842714006000820472903548430965511964"],"threshold":0.9},"target":{"file":"drivers/usb/gadget/legacy/inode.c","truncated_path_level":1},"signature_type":"Line"},{"id":"ASB-A-210292376-ba3b28b2","source":"https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88","deprecated":false,"signature_version":"v1","digest":{"length":9168,"function_hash":"262748161316401576846558063530053601345"},"target":{"truncated_path_level":1,"file":"drivers/usb/gadget/composite.c","function":"composite_setup"},"signature_type":"Function"},{"id":"ASB-A-210292376-d55f671b","source":"https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","deprecated":false,"signature_version":"v1","digest":{"length":1417,"function_hash":"211557554950156766019146613511635348846"},"target":{"truncated_path_level":1,"file":"drivers/usb/gadget/legacy/dbgp.c","function":"dbgp_setup"},"signature_type":"Function"}],"fixes":["https://android.googlesource.com/kernel/common/+/b4604acd52a691c2fd33ad0a0fafb7cc19dee5de","https://android.googlesource.com/kernel/common/+/53afb231f54a69d827b882fa282b30bb10cb08a5","https://android.googlesource.com/kernel/common/+/d3c17d5e271ab688cb117330ec85e125ebf24d88"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-210292376.json"}}],"schema_version":"1.7.5"}