{"id":"ASB-A-245135112","details":"In MtpPropertyValue of MtpProperty.h, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-245135112","CVE-2023-35687"],"modified":"2026-05-01T15:24:27.653932Z","published":"2023-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/av/+/ea6131efa76a0b2a12724ffd157909e2c6fb4036"}],"affected":[{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-09-01"}]}],"versions":["13-next"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["49440150004597398374299339656218450864","135677111807147160386708736057925333638","202537571553025539675748916310275647158","296972742206731287151675506359443186515"],"threshold":0.9},"target":{"file":"media/mtp/MtpProperty.h"},"deprecated":false,"id":"ASB-A-245135112-0858d31e","source":"https://android.googlesource.com/platform/frameworks/av/+/3afa6e80e8568fe63f893fa354bc79ef91d3dcc0"}],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/3afa6e80e8568fe63f893fa354bc79ef91d3dcc0"],"severity":"High","spl":"2023-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-245135112.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-09-01"}]}],"versions":["11"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["49440150004597398374299339656218450864","135677111807147160386708736057925333638","202537571553025539675748916310275647158","296972742206731287151675506359443186515"],"threshold":0.9},"target":{"file":"media/mtp/MtpProperty.h"},"deprecated":false,"id":"ASB-A-245135112-c2c06a9e","source":"https://android.googlesource.com/platform/frameworks/av/+/d44311374e41a26b28db56794c9a7890a13a6972"}],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/d44311374e41a26b28db56794c9a7890a13a6972"],"severity":"High","spl":"2023-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-245135112.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-09-01"}]}],"versions":["12"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["49440150004597398374299339656218450864","135677111807147160386708736057925333638","202537571553025539675748916310275647158","296972742206731287151675506359443186515"],"threshold":0.9},"target":{"file":"media/mtp/MtpProperty.h"},"deprecated":false,"id":"ASB-A-245135112-b87de1b5","source":"https://android.googlesource.com/platform/frameworks/av/+/c138d20635694857754f2b7de2342089de13d556"}],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/c138d20635694857754f2b7de2342089de13d556"],"severity":"High","spl":"2023-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-245135112.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-09-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["49440150004597398374299339656218450864","135677111807147160386708736057925333638","202537571553025539675748916310275647158","296972742206731287151675506359443186515"],"threshold":0.9},"target":{"file":"media/mtp/MtpProperty.h"},"deprecated":false,"id":"ASB-A-245135112-cbf2e1fd","source":"https://android.googlesource.com/platform/frameworks/av/+/5825299cf697df203ce42f67f741731b97f96071"}],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/5825299cf697df203ce42f67f741731b97f96071"],"severity":"High","spl":"2023-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-245135112.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-09-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["49440150004597398374299339656218450864","135677111807147160386708736057925333638","202537571553025539675748916310275647158","296972742206731287151675506359443186515"],"threshold":0.9},"target":{"file":"media/mtp/MtpProperty.h"},"deprecated":false,"id":"ASB-A-245135112-96b0935d","source":"https://android.googlesource.com/platform/frameworks/av/+/99d0823ca2b8275f000a437150fb8d1938b1b31a"}],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/99d0823ca2b8275f000a437150fb8d1938b1b31a"],"severity":"High","spl":"2023-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-245135112.json"}}],"schema_version":"1.7.5"}