{"id":"ASB-A-274058082","details":"In android_view_InputDevice_create of android_view_InputDevice.cpp, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-274058082","CVE-2023-40140"],"modified":"2026-04-27T15:40:08.012512Z","published":"2023-10-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-10-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/2d88a5c481df8986dbba2e02c5bf82f105b36243"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2023-10-01"}]}],"versions":["14-next"],"ecosystem_specific":{"spl":"2023-10-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b","signature_type":"Line","target":{"file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"line_hashes":["125676492766106711951596617785195971855","185879384200682738715378114506687516778","338104229701745523250922630123558121720","164483218690317520296748166909634886132","241981070728565826920380962268949800827","20744690058626963785589292893573941149","194452586477869734798399918003040292452","136458635348825470205537341173414825837"],"threshold":0.9},"id":"ASB-A-274058082-049482b7","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b","signature_type":"Function","target":{"function":"android_view_InputDevice_create","file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"function_hash":"158139996614015754754528683268877777485","length":1531},"id":"ASB-A-274058082-c4715c80","deprecated":false}],"severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-274058082.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-10-01"}]}],"versions":["11"],"ecosystem_specific":{"spl":"2023-10-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/4b3c4620166071561ec44961fb08a56676b4fd6c","https://android.googlesource.com/platform/frameworks/base/+/aaaba6cf190d976efdc5db6c78997dbdc9214c15"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/aaaba6cf190d976efdc5db6c78997dbdc9214c15","signature_type":"Line","target":{"file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"line_hashes":["230305232859421759719948898271091435181","175698175548647830746462066481850780724","48609923683176244895431102128720532167","218957895753685007551547150603647047350"],"threshold":0.9},"id":"ASB-A-274058082-0312669d","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/aaaba6cf190d976efdc5db6c78997dbdc9214c15","signature_type":"Function","target":{"function":"android_view_InputDevice_create","file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"function_hash":"264988005883883338717759010747986694755","length":1611},"id":"ASB-A-274058082-12ed3f18","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/4b3c4620166071561ec44961fb08a56676b4fd6c","signature_type":"Line","target":{"file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"line_hashes":["305811479980129423563913840842893721562","199507713459967536283705882506495094259","164483218690317520296748166909634886132","241981070728565826920380962268949800827","20744690058626963785589292893573941149","194452586477869734798399918003040292452","136458635348825470205537341173414825837"],"threshold":0.9},"id":"ASB-A-274058082-590a4d19","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/4b3c4620166071561ec44961fb08a56676b4fd6c","signature_type":"Function","target":{"function":"android_view_InputDevice_create","file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"function_hash":"279694627074942626613480915343931525335","length":1482},"id":"ASB-A-274058082-b2af2b90","deprecated":false}],"severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-274058082.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-10-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2023-10-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b","signature_type":"Function","target":{"function":"android_view_InputDevice_create","file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"function_hash":"158139996614015754754528683268877777485","length":1531},"id":"ASB-A-274058082-1c277084","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b","signature_type":"Line","target":{"file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"line_hashes":["125676492766106711951596617785195971855","185879384200682738715378114506687516778","338104229701745523250922630123558121720","164483218690317520296748166909634886132","241981070728565826920380962268949800827","20744690058626963785589292893573941149","194452586477869734798399918003040292452","136458635348825470205537341173414825837"],"threshold":0.9},"id":"ASB-A-274058082-842a1e12","deprecated":false}],"severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-274058082.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-10-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2023-10-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b","signature_type":"Line","target":{"file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"line_hashes":["125676492766106711951596617785195971855","185879384200682738715378114506687516778","338104229701745523250922630123558121720","164483218690317520296748166909634886132","241981070728565826920380962268949800827","20744690058626963785589292893573941149","194452586477869734798399918003040292452","136458635348825470205537341173414825837"],"threshold":0.9},"id":"ASB-A-274058082-ced6b9b1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b","signature_type":"Function","target":{"function":"android_view_InputDevice_create","file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"function_hash":"158139996614015754754528683268877777485","length":1531},"id":"ASB-A-274058082-f794cb00","deprecated":false}],"severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-274058082.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-10-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-10-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b","signature_type":"Function","target":{"function":"android_view_InputDevice_create","file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"function_hash":"158139996614015754754528683268877777485","length":1531},"id":"ASB-A-274058082-a3b35f74","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/3d993de0d1ada8065d1fe561f690c8f82b6a7d4b","signature_type":"Line","target":{"file":"core/jni/android_view_InputDevice.cpp"},"signature_version":"v1","digest":{"line_hashes":["125676492766106711951596617785195971855","185879384200682738715378114506687516778","338104229701745523250922630123558121720","164483218690317520296748166909634886132","241981070728565826920380962268949800827","20744690058626963785589292893573941149","194452586477869734798399918003040292452","136458635348825470205537341173414825837"],"threshold":0.9},"id":"ASB-A-274058082-e58565d9","deprecated":false}],"severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-274058082.json"}}],"schema_version":"1.7.5"}