{"id":"ASB-A-238904312","details":"The path in this case is a little bit convoluted. The end result is that via an ioctl an untrusted app can control the ui32PageIndex offset in the expression:\n        sPA.uiAddr = page_to_phys(psOSPageArrayData-\u003epagearray[ui32PageIndex]);\nWith the current PoC this crashes as an OOB read. However, given that the OOB read value is ending up as the address field of a struct I think i seems plausible that this could lead to an OOB write if the attacker is able to cause the OOB read to pull an interesting kernel address. Regardless if this is a read or write, it is a High severity issue in the kernel.","aliases":["A-238904312","CVE-2021-0942"],"modified":"2026-04-30T15:48:46.890647Z","published":"2022-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-09-01"}],"affected":[{"package":{"name":":unknown:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"SoCVersion:0"},{"fixed":"SoCVersion:2022-09-05"}]}],"versions":["SoCVersion"],"ecosystem_specific":{"severity":"High","types":["EoP"],"spl":"2022-09-05"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-238904312.json"}}],"schema_version":"1.7.5"}