{"id":"ASB-A-283699145","details":"In onTransact of IncidentService.cpp, there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-283699145","CVE-2023-40091"],"modified":"2026-04-24T15:37:38.793646Z","published":"2023-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/0ec7b119d41adcbba23f9349e16de9e7e11683f6"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2023-12-01"}]}],"versions":["14-next"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/ba78ef276951269f7b024baebdf1b8fa40bedb23","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-283699145-b708d3c2","digest":{"threshold":0.9,"line_hashes":["172443825425735659130612088279631497838","87095234300440577981712593612054653192","181035596412257502561531291368585469683","178560458846057669041384444199635420189","272320636500326788687113970580329097263","124938934875534925526175360237650061883","266767335645061768932475154149530364725","141177541074504564839850689640202501430","78165157138368822931328054849781914200","223486805494479665078780819804238327125","167681171040007542862107872106203057846","76969655573289818818651540298835593549","10956823126506419822393896227440217122","125571098748896862381169465902116515961","58282277178717432294300886937119173818","283374286640108271559969475024193896829","132881330010620496522334561253869658802"]},"target":{"file":"cmds/incidentd/src/IncidentService.cpp"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/ba78ef276951269f7b024baebdf1b8fa40bedb23","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-283699145-d157f143","digest":{"function_hash":"205720072474376637546658943542620039004","length":1260},"target":{"function":"IncidentService::onTransact","file":"cmds/incidentd/src/IncidentService.cpp"}}],"spl":"2023-12-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/ba78ef276951269f7b024baebdf1b8fa40bedb23"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-283699145.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-12-01"}]}],"versions":["11"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/b4aaf180ee8f3e375c7ab411f03cf9c24c1d8055","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-283699145-24e30172","digest":{"threshold":0.9,"line_hashes":["172443825425735659130612088279631497838","87095234300440577981712593612054653192","181035596412257502561531291368585469683","178560458846057669041384444199635420189","272320636500326788687113970580329097263","124938934875534925526175360237650061883","302862291444684829093576579100726276569","36201056607344935758438273136816154414","109823369971792074326148648264918672981","223486805494479665078780819804238327125","167681171040007542862107872106203057846","76969655573289818818651540298835593549","10956823126506419822393896227440217122","125571098748896862381169465902116515961","58282277178717432294300886937119173818","283374286640108271559969475024193896829","132881330010620496522334561253869658802"]},"target":{"file":"cmds/incidentd/src/IncidentService.cpp"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/b4aaf180ee8f3e375c7ab411f03cf9c24c1d8055","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-283699145-99256717","digest":{"function_hash":"175548108494891799001190044926229152188","length":1215},"target":{"function":"IncidentService::onTransact","file":"cmds/incidentd/src/IncidentService.cpp"}}],"spl":"2023-12-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/b4aaf180ee8f3e375c7ab411f03cf9c24c1d8055"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-283699145.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-12-01"}]}],"versions":["12"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/598dc664d4844363be12e0d164e1e522f92fa23f","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-283699145-5311c2a1","digest":{"threshold":0.9,"line_hashes":["172443825425735659130612088279631497838","87095234300440577981712593612054653192","181035596412257502561531291368585469683","178560458846057669041384444199635420189","272320636500326788687113970580329097263","124938934875534925526175360237650061883","302862291444684829093576579100726276569","36201056607344935758438273136816154414","109823369971792074326148648264918672981","223486805494479665078780819804238327125","167681171040007542862107872106203057846","76969655573289818818651540298835593549","10956823126506419822393896227440217122","125571098748896862381169465902116515961","58282277178717432294300886937119173818","283374286640108271559969475024193896829","132881330010620496522334561253869658802"]},"target":{"file":"cmds/incidentd/src/IncidentService.cpp"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/598dc664d4844363be12e0d164e1e522f92fa23f","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-283699145-75d824f3","digest":{"function_hash":"175548108494891799001190044926229152188","length":1215},"target":{"function":"IncidentService::onTransact","file":"cmds/incidentd/src/IncidentService.cpp"}}],"spl":"2023-12-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/598dc664d4844363be12e0d164e1e522f92fa23f"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-283699145.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-12-01"}]}],"versions":["12L"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/db60b2f5e004a4b303c70bdecb94d4b40f29cc33","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-283699145-dca9ba9d","digest":{"function_hash":"175548108494891799001190044926229152188","length":1215},"target":{"function":"IncidentService::onTransact","file":"cmds/incidentd/src/IncidentService.cpp"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/db60b2f5e004a4b303c70bdecb94d4b40f29cc33","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-283699145-f9c9fbfa","digest":{"threshold":0.9,"line_hashes":["172443825425735659130612088279631497838","87095234300440577981712593612054653192","181035596412257502561531291368585469683","178560458846057669041384444199635420189","272320636500326788687113970580329097263","124938934875534925526175360237650061883","302862291444684829093576579100726276569","36201056607344935758438273136816154414","109823369971792074326148648264918672981","223486805494479665078780819804238327125","167681171040007542862107872106203057846","76969655573289818818651540298835593549","10956823126506419822393896227440217122","125571098748896862381169465902116515961","58282277178717432294300886937119173818","283374286640108271559969475024193896829","132881330010620496522334561253869658802"]},"target":{"file":"cmds/incidentd/src/IncidentService.cpp"}}],"spl":"2023-12-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/db60b2f5e004a4b303c70bdecb94d4b40f29cc33"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-283699145.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-12-01"}]}],"versions":["13"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/6fe75d9d37321843ebae8a34a049f4d3f24e1965","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-283699145-4d281e2d","digest":{"function_hash":"175548108494891799001190044926229152188","length":1215},"target":{"function":"IncidentService::onTransact","file":"cmds/incidentd/src/IncidentService.cpp"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/6fe75d9d37321843ebae8a34a049f4d3f24e1965","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-283699145-4e2c2572","digest":{"threshold":0.9,"line_hashes":["172443825425735659130612088279631497838","87095234300440577981712593612054653192","181035596412257502561531291368585469683","178560458846057669041384444199635420189","272320636500326788687113970580329097263","124938934875534925526175360237650061883","302862291444684829093576579100726276569","36201056607344935758438273136816154414","109823369971792074326148648264918672981","223486805494479665078780819804238327125","167681171040007542862107872106203057846","76969655573289818818651540298835593549","10956823126506419822393896227440217122","125571098748896862381169465902116515961","58282277178717432294300886937119173818","283374286640108271559969475024193896829","132881330010620496522334561253869658802"]},"target":{"file":"cmds/incidentd/src/IncidentService.cpp"}}],"spl":"2023-12-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/6fe75d9d37321843ebae8a34a049f4d3f24e1965"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-283699145.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2023-12-01"}]}],"versions":["14"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/5ae8b8102cbcae0aa9a90d1c19197b74bdcaf31a","signature_version":"v1","signature_type":"Line","deprecated":false,"id":"ASB-A-283699145-89d488d8","digest":{"threshold":0.9,"line_hashes":["172443825425735659130612088279631497838","87095234300440577981712593612054653192","181035596412257502561531291368585469683","178560458846057669041384444199635420189","272320636500326788687113970580329097263","124938934875534925526175360237650061883","302862291444684829093576579100726276569","36201056607344935758438273136816154414","109823369971792074326148648264918672981","223486805494479665078780819804238327125","167681171040007542862107872106203057846","76969655573289818818651540298835593549","10956823126506419822393896227440217122","125571098748896862381169465902116515961","58282277178717432294300886937119173818","283374286640108271559969475024193896829","132881330010620496522334561253869658802"]},"target":{"file":"cmds/incidentd/src/IncidentService.cpp"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/5ae8b8102cbcae0aa9a90d1c19197b74bdcaf31a","signature_version":"v1","signature_type":"Function","deprecated":false,"id":"ASB-A-283699145-bbe08ca7","digest":{"function_hash":"175548108494891799001190044926229152188","length":1215},"target":{"function":"IncidentService::onTransact","file":"cmds/incidentd/src/IncidentService.cpp"}}],"spl":"2023-12-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/5ae8b8102cbcae0aa9a90d1c19197b74bdcaf31a"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-283699145.json"}}],"schema_version":"1.7.5"}