{"id":"ASB-A-240140929","details":"In Import of C2SurfaceSyncObj.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-240140929","CVE-2023-20956"],"modified":"2026-04-23T15:15:38.048727Z","published":"2023-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/av/+/ce7a476857997b615745b13adaa5465cf4bc6cfe"}],"affected":[{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-03-01"}]}],"versions":["13-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/av/+/9b4f38105ad66615e811483f4927942b231c84b7"],"vanir_signatures":[{"signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"file":"media/codec2/vndk/platform/C2SurfaceSyncObj.cpp","function":"C2SurfaceSyncMemory::Import"},"id":"ASB-A-240140929-3eb0086d","digest":{"length":531,"function_hash":"264911485199584872904152870241901263757"},"source":"https://android.googlesource.com/platform/frameworks/av/+/9b4f38105ad66615e811483f4927942b231c84b7"},{"signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"media/codec2/vndk/platform/C2SurfaceSyncObj.cpp"},"id":"ASB-A-240140929-5a1e5f4a","digest":{"line_hashes":["31765467849570847017508962957376924589","147670170250532669734861363521258715869","81303207179804990717236435807687710773","280413656575870453371965795855325740204"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/av/+/9b4f38105ad66615e811483f4927942b231c84b7"}],"spl":"2023-03-01","types":["ID"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-240140929.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-03-01"}]}],"versions":["12"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/av/+/e3958886dbdd65ac8020a4554c9e567f95a6d813"],"vanir_signatures":[{"signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"media/codec2/vndk/platform/C2SurfaceSyncObj.cpp"},"id":"ASB-A-240140929-9178909c","digest":{"line_hashes":["31765467849570847017508962957376924589","147670170250532669734861363521258715869","81303207179804990717236435807687710773","280413656575870453371965795855325740204"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/av/+/e3958886dbdd65ac8020a4554c9e567f95a6d813"},{"signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"file":"media/codec2/vndk/platform/C2SurfaceSyncObj.cpp","function":"C2SurfaceSyncMemory::Import"},"id":"ASB-A-240140929-95820b80","digest":{"length":531,"function_hash":"264911485199584872904152870241901263757"},"source":"https://android.googlesource.com/platform/frameworks/av/+/e3958886dbdd65ac8020a4554c9e567f95a6d813"}],"spl":"2023-03-01","types":["ID"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-240140929.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-03-01"}]}],"versions":["12L"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/av/+/9c80c519481cc5e655c43b03c117a5aeced11bd1"],"vanir_signatures":[{"signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"file":"media/codec2/vndk/platform/C2SurfaceSyncObj.cpp","function":"C2SurfaceSyncMemory::Import"},"id":"ASB-A-240140929-4d4bdccf","digest":{"length":531,"function_hash":"264911485199584872904152870241901263757"},"source":"https://android.googlesource.com/platform/frameworks/av/+/9c80c519481cc5e655c43b03c117a5aeced11bd1"},{"signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"media/codec2/vndk/platform/C2SurfaceSyncObj.cpp"},"id":"ASB-A-240140929-d2206ab2","digest":{"line_hashes":["31765467849570847017508962957376924589","147670170250532669734861363521258715869","81303207179804990717236435807687710773","280413656575870453371965795855325740204"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/av/+/9c80c519481cc5e655c43b03c117a5aeced11bd1"}],"spl":"2023-03-01","types":["ID"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-240140929.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-03-01"}]}],"versions":["13"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/av/+/7470a6a17a61f2ea732325a910fd49a67dd2f9c8"],"vanir_signatures":[{"signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"file":"media/codec2/vndk/platform/C2SurfaceSyncObj.cpp","function":"C2SurfaceSyncMemory::Import"},"id":"ASB-A-240140929-77752672","digest":{"length":531,"function_hash":"264911485199584872904152870241901263757"},"source":"https://android.googlesource.com/platform/frameworks/av/+/7470a6a17a61f2ea732325a910fd49a67dd2f9c8"},{"signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"media/codec2/vndk/platform/C2SurfaceSyncObj.cpp"},"id":"ASB-A-240140929-be0908ea","digest":{"line_hashes":["31765467849570847017508962957376924589","147670170250532669734861363521258715869","81303207179804990717236435807687710773","280413656575870453371965795855325740204"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/av/+/7470a6a17a61f2ea732325a910fd49a67dd2f9c8"}],"spl":"2023-03-01","types":["ID"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-240140929.json"}}],"schema_version":"1.7.5"}