{"id":"ASB-A-243381410","details":"In multiple functions of MtpFfsHandle.cpp , there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-243381410","CVE-2023-40114"],"modified":"2026-04-10T16:16:18.068628Z","published":"2023-11-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-11-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/av/+/2fdf54b050f728fd965c9afdd03116e9b9dafbae"}],"affected":[{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2023-11-01"}]}],"versions":["14-next"],"ecosystem_specific":{"vanir_signatures":[{"match_only_versions":["14-next"],"signature_type":"Function","digest":{"length":391,"function_hash":"206423838537077778683672397681181193153"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/av/+/24b80a252815efec8fe9ee09d27ff592ff85caf6","target":{"function":"MtpFfsHandle::doSendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","id":"ASB-A-243381410-2f32c52c"},{"digest":{"length":85,"function_hash":"187296678320389610812168504060705140071"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/50bf46a3f62136386548a9187a749936bda3ee8f","target":{"function":"MtpFfsHandle::close","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-43c10ea1"},{"digest":{"length":282,"function_hash":"276487615277169573715096579113361679539"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/50bf46a3f62136386548a9187a749936bda3ee8f","target":{"function":"MtpFfsHandle::sendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-48363c69"},{"digest":{"threshold":0.9,"line_hashes":["257946880689431607607846921277362628984","214813738760782162275727667657187336111","311949162191875777493563203535787409328"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/50bf46a3f62136386548a9187a749936bda3ee8f","target":{"file":"media/mtp/MtpFfsHandle.h"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-71daa25e"},{"match_only_versions":["14-next"],"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["249905657129750199156804045841388941371","129944308696489498706075798586674994455","234890760846408323056785030771212952384","134081666041439078632207748534875507413","216512857860840639893639376538607433979","46630529847610189699613104430422721829","249078942686925292647122114907574201434","133086749823307041251926957468676873004","324773778986203074548926276370670423793","3218371153343959678584258994735145426","83595945529144457290875089835432754386","306231000139423576494531936526756222315","211420202275080712744550988006981160177","134173040292944580260729058122719658293","75010337608386829421480620726219757103","38375681278452947314662935039389038682","202687650483980621914080471630274682406","318938683827732062174721510769767011106","275207533668640178719217003156540494481","130923682915988071978495404433715529474"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/av/+/24b80a252815efec8fe9ee09d27ff592ff85caf6","target":{"file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","id":"ASB-A-243381410-83b8948e"},{"match_only_versions":["14-next"],"signature_type":"Function","digest":{"length":338,"function_hash":"246874845117935513973283340014045140640"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/av/+/24b80a252815efec8fe9ee09d27ff592ff85caf6","target":{"function":"MtpFfsHandle::sendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","id":"ASB-A-243381410-c1163542"},{"match_only_versions":["14-next"],"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["287665720593271876949601279852261242653","123877190094603676257621209182778795715","304262815724805461350446928805530664552","16996758083761316092469516705013594099","9295919541600902406113267227066390217","248751862827529912028883904204990656887"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/av/+/24b80a252815efec8fe9ee09d27ff592ff85caf6","target":{"file":"media/mtp/MtpFfsHandle.h"},"signature_version":"v1","id":"ASB-A-243381410-d38f158b"},{"match_only_versions":["14-next"],"signature_type":"Function","digest":{"length":221,"function_hash":"69570275881886170927266215477087188399"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/av/+/24b80a252815efec8fe9ee09d27ff592ff85caf6","target":{"function":"MtpFfsHandle::close","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","id":"ASB-A-243381410-f1a30a43"},{"digest":{"threshold":0.9,"line_hashes":["104378138219268779814330118595398296666","204458413345149048668434331184071604602","274746092296857967025830671311052618919","118046279412932046354249876989352904934","69565515035292456810716684427000415482","299347034252007468155409632366504270155","153406248780684167603897372426184570892","21845633233846915759719832940100001890","113618895588595597258975882515016568485","151515614438489737464926123216152085661","221010358112329924353436072492745962727"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/50bf46a3f62136386548a9187a749936bda3ee8f","target":{"file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-fee18d90"}],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/50bf46a3f62136386548a9187a749936bda3ee8f","https://android.googlesource.com/platform/frameworks/av/+/24b80a252815efec8fe9ee09d27ff592ff85caf6"],"spl":"2023-11-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-243381410.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-11-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"length":282,"function_hash":"276487615277169573715096579113361679539"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/73d89318a658ece5f337c5f9c1ec1149c52eb722","target":{"function":"MtpFfsHandle::sendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-0401a714"},{"digest":{"threshold":0.9,"line_hashes":["104378138219268779814330118595398296666","204458413345149048668434331184071604602","274746092296857967025830671311052618919","118046279412932046354249876989352904934","69565515035292456810716684427000415482","299347034252007468155409632366504270155","153406248780684167603897372426184570892","21845633233846915759719832940100001890","113618895588595597258975882515016568485","151515614438489737464926123216152085661","221010358112329924353436072492745962727"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/73d89318a658ece5f337c5f9c1ec1149c52eb722","target":{"file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-3dc0dc8e"},{"digest":{"threshold":0.9,"line_hashes":["239159632960374640597334580885051590784","171934229187705278507507383778159506808","194610243098660717648630058873393564582"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/73d89318a658ece5f337c5f9c1ec1149c52eb722","target":{"file":"media/mtp/MtpFfsHandle.h"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-808e0237"},{"match_only_versions":["11"],"signature_type":"Function","digest":{"length":313,"function_hash":"156322528856444147556699193616146441238"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/73d89318a658ece5f337c5f9c1ec1149c52eb722","target":{"function":"MtpFfsHandle::doSendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","id":"ASB-A-243381410-82e1fbec"},{"digest":{"length":85,"function_hash":"187296678320389610812168504060705140071"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/73d89318a658ece5f337c5f9c1ec1149c52eb722","target":{"function":"MtpFfsHandle::close","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-ebf12d6f"}],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/73d89318a658ece5f337c5f9c1ec1149c52eb722"],"spl":"2023-11-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-243381410.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-11-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"length":282,"function_hash":"276487615277169573715096579113361679539"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/e376b3dd401339cf736b1f76948b2f2338a647c9","target":{"function":"MtpFfsHandle::sendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-1a1c308b"},{"match_only_versions":["12"],"signature_type":"Function","digest":{"length":313,"function_hash":"156322528856444147556699193616146441238"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/e376b3dd401339cf736b1f76948b2f2338a647c9","target":{"function":"MtpFfsHandle::doSendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","id":"ASB-A-243381410-26ad8f39"},{"digest":{"length":85,"function_hash":"187296678320389610812168504060705140071"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/e376b3dd401339cf736b1f76948b2f2338a647c9","target":{"function":"MtpFfsHandle::close","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-328e0f99"},{"digest":{"threshold":0.9,"line_hashes":["257946880689431607607846921277362628984","214813738760782162275727667657187336111","311949162191875777493563203535787409328"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/e376b3dd401339cf736b1f76948b2f2338a647c9","target":{"file":"media/mtp/MtpFfsHandle.h"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-5678c55a"},{"digest":{"threshold":0.9,"line_hashes":["104378138219268779814330118595398296666","204458413345149048668434331184071604602","274746092296857967025830671311052618919","118046279412932046354249876989352904934","69565515035292456810716684427000415482","299347034252007468155409632366504270155","153406248780684167603897372426184570892","21845633233846915759719832940100001890","113618895588595597258975882515016568485","151515614438489737464926123216152085661","221010358112329924353436072492745962727"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/e376b3dd401339cf736b1f76948b2f2338a647c9","target":{"file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-826b75af"}],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/e376b3dd401339cf736b1f76948b2f2338a647c9"],"spl":"2023-11-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-243381410.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-11-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"match_only_versions":["12L"],"signature_type":"Function","digest":{"length":313,"function_hash":"156322528856444147556699193616146441238"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/d0645e1ca9d985acbf679ba29cc886bdd217ec55","target":{"function":"MtpFfsHandle::doSendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","id":"ASB-A-243381410-15013ffe"},{"digest":{"length":85,"function_hash":"187296678320389610812168504060705140071"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/d0645e1ca9d985acbf679ba29cc886bdd217ec55","target":{"function":"MtpFfsHandle::close","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-b01d102a"},{"digest":{"length":282,"function_hash":"276487615277169573715096579113361679539"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/d0645e1ca9d985acbf679ba29cc886bdd217ec55","target":{"function":"MtpFfsHandle::sendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-caa75c9e"},{"digest":{"threshold":0.9,"line_hashes":["257946880689431607607846921277362628984","214813738760782162275727667657187336111","311949162191875777493563203535787409328"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/d0645e1ca9d985acbf679ba29cc886bdd217ec55","target":{"file":"media/mtp/MtpFfsHandle.h"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-d459851d"},{"digest":{"threshold":0.9,"line_hashes":["104378138219268779814330118595398296666","204458413345149048668434331184071604602","274746092296857967025830671311052618919","118046279412932046354249876989352904934","69565515035292456810716684427000415482","299347034252007468155409632366504270155","153406248780684167603897372426184570892","21845633233846915759719832940100001890","113618895588595597258975882515016568485","151515614438489737464926123216152085661","221010358112329924353436072492745962727"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/d0645e1ca9d985acbf679ba29cc886bdd217ec55","target":{"file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-ef64f868"}],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/d0645e1ca9d985acbf679ba29cc886bdd217ec55"],"spl":"2023-11-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-243381410.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-11-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"length":85,"function_hash":"187296678320389610812168504060705140071"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/05dc1c083095ebee0faa20498153eb466082ace0","target":{"function":"MtpFfsHandle::close","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-3dfba4ff"},{"digest":{"threshold":0.9,"line_hashes":["104378138219268779814330118595398296666","204458413345149048668434331184071604602","274746092296857967025830671311052618919","118046279412932046354249876989352904934","69565515035292456810716684427000415482","299347034252007468155409632366504270155","153406248780684167603897372426184570892","21845633233846915759719832940100001890","113618895588595597258975882515016568485","151515614438489737464926123216152085661","221010358112329924353436072492745962727"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/05dc1c083095ebee0faa20498153eb466082ace0","target":{"file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-5ef6fb3a"},{"digest":{"length":282,"function_hash":"276487615277169573715096579113361679539"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/05dc1c083095ebee0faa20498153eb466082ace0","target":{"function":"MtpFfsHandle::sendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-6607fff4"},{"digest":{"threshold":0.9,"line_hashes":["257946880689431607607846921277362628984","214813738760782162275727667657187336111","311949162191875777493563203535787409328"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/05dc1c083095ebee0faa20498153eb466082ace0","target":{"file":"media/mtp/MtpFfsHandle.h"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-72c2f4c6"},{"match_only_versions":["13"],"signature_type":"Function","digest":{"length":313,"function_hash":"156322528856444147556699193616146441238"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/05dc1c083095ebee0faa20498153eb466082ace0","target":{"function":"MtpFfsHandle::doSendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","id":"ASB-A-243381410-bba9b650"}],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/05dc1c083095ebee0faa20498153eb466082ace0"],"spl":"2023-11-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-243381410.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2023-11-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"length":85,"function_hash":"187296678320389610812168504060705140071"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/e2c99e1e3a87368477f888f56944ec11c8d11a6e","target":{"function":"MtpFfsHandle::close","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-4ef287e3"},{"digest":{"threshold":0.9,"line_hashes":["257946880689431607607846921277362628984","214813738760782162275727667657187336111","311949162191875777493563203535787409328"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/e2c99e1e3a87368477f888f56944ec11c8d11a6e","target":{"file":"media/mtp/MtpFfsHandle.h"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-8c10c6e5"},{"match_only_versions":["14"],"signature_type":"Function","digest":{"length":313,"function_hash":"156322528856444147556699193616146441238"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/e2c99e1e3a87368477f888f56944ec11c8d11a6e","target":{"function":"MtpFfsHandle::doSendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","id":"ASB-A-243381410-8e6b531a"},{"digest":{"threshold":0.9,"line_hashes":["104378138219268779814330118595398296666","204458413345149048668434331184071604602","274746092296857967025830671311052618919","118046279412932046354249876989352904934","69565515035292456810716684427000415482","299347034252007468155409632366504270155","153406248780684167603897372426184570892","21845633233846915759719832940100001890","113618895588595597258975882515016568485","151515614438489737464926123216152085661","221010358112329924353436072492745962727"]},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/e2c99e1e3a87368477f888f56944ec11c8d11a6e","target":{"file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-243381410-9fdeae0c"},{"digest":{"length":282,"function_hash":"276487615277169573715096579113361679539"},"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/av/+/e2c99e1e3a87368477f888f56944ec11c8d11a6e","target":{"function":"MtpFfsHandle::sendEvent","file":"media/mtp/MtpFfsHandle.cpp"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-243381410-cdc5fd5f"}],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/e2c99e1e3a87368477f888f56944ec11c8d11a6e"],"spl":"2023-11-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-243381410.json"}}],"schema_version":"1.7.5"}