{"id":"ASB-A-285645039","details":"In readLogs of StatsService.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-285645039","CVE-2023-40115"],"modified":"2026-05-15T15:01:37.959123Z","published":"2023-11-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-11-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/modules/StatsD/+/e4cd2d8f75d1b7b83a759d752f38099a9aa9997e"}],"affected":[{"package":{"name":"platform/packages/modules/StatsD","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2023-11-01"}]}],"versions":["14-next"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"target":{"function":"StatsService::readLogs","file":"statsd/src/StatsService.cpp"},"digest":{"length":222,"function_hash":"190139916014078794201190441593495255888"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/3937ea3cdcf531a14cdba4ef176d8aa89d9d6066","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-2321da57"},{"target":{"function":"mInitEventDelaySecs","file":"statsd/src/StatsService.cpp"},"digest":{"length":2525,"function_hash":"170025933828175594194721604275166181251"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/3937ea3cdcf531a14cdba4ef176d8aa89d9d6066","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-9bfacc48"},{"target":{"file":"statsd/src/StatsService.h"},"digest":{"threshold":0.9,"line_hashes":["24938293731554636473098398205316056354","18944739092555810520413270013999179633","62673561178611369184800734059699398735","107651199482235546255415669659835414516","15664087137759784019850001285856476293","52788991262695293056646716387794235053"]},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/3937ea3cdcf531a14cdba4ef176d8aa89d9d6066","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-bfd554da"},{"target":{"file":"statsd/src/StatsService.cpp"},"digest":{"threshold":0.9,"line_hashes":["284175425589097230727147656800977346044","334369693926564463613608742465654614201","288223269456115365291245602458738083098","148667828061323797183185443430761605895","283245882279883015538077767184721125668","91011422154839185681590367440624013254","228991447056343218450583282699753578122","200991055704848072321835649022205081417","314445733331473514438239458627334934923","290215494774479982526444497481484572928","150837300128228537133125342259255129700","158274056577435042297687633569209542541","299056411393582019832200088668149889192","108587633537507210242609878158511307392","108587633537507210242609878158511307392"]},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/3937ea3cdcf531a14cdba4ef176d8aa89d9d6066","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-d3caf925"},{"target":{"function":"StatsService::~StatsService","file":"statsd/src/StatsService.cpp"},"digest":{"length":37,"function_hash":"290532900627309439606711308425738821162"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/3937ea3cdcf531a14cdba4ef176d8aa89d9d6066","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-efd083d9"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/packages/modules/StatsD/+/3937ea3cdcf531a14cdba4ef176d8aa89d9d6066"],"spl":"2023-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-285645039.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-11-01"}]}],"versions":["11"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"target":{"function":"StatsService::readLogs","file":"cmds/statsd/src/StatsService.cpp"},"digest":{"length":222,"function_hash":"190139916014078794201190441593495255888"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/03de4e4f1a0546fdd3b002651851bee9ffe0e11b","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-5abb01b1"},{"target":{"file":"cmds/statsd/src/StatsService.h"},"digest":{"threshold":0.9,"line_hashes":["9560257399028977192882822136888446391","6814727255881169936930416864601371522","95344555408575203031917538580592384557","131440157779380392246526055656246270484","208613213791790390267597640934962107644","94612942637015893079560201185174185719","149102618012575246417676794546503739423"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/03de4e4f1a0546fdd3b002651851bee9ffe0e11b","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-73a84601"},{"target":{"file":"cmds/statsd/src/StatsService.cpp"},"digest":{"threshold":0.9,"line_hashes":["162094486690609551357265491806306373800","21343630666638973742897342745690999120","288223269456115365291245602458738083098","148667828061323797183185443430761605895","283245882279883015538077767184721125668","91011422154839185681590367440624013254","228991447056343218450583282699753578122","200991055704848072321835649022205081417","314445733331473514438239458627334934923","290215494774479982526444497481484572928","150837300128228537133125342259255129700","158274056577435042297687633569209542541","335343134791047350178012205680999322642","191751358642596428187797542992949197800","108587633537507210242609878158511307392"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/03de4e4f1a0546fdd3b002651851bee9ffe0e11b","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-797889bb"},{"target":{"function":"StatsService::~StatsService","file":"cmds/statsd/src/StatsService.cpp"},"digest":{"length":37,"function_hash":"290532900627309439606711308425738821162"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/03de4e4f1a0546fdd3b002651851bee9ffe0e11b","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-8fa418a0"},{"target":{"function":"mStatsCompanionServiceDeathRecipient","file":"cmds/statsd/src/StatsService.cpp"},"digest":{"length":1584,"function_hash":"74176117800312312752666027285333827045"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/03de4e4f1a0546fdd3b002651851bee9ffe0e11b","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-ad3d2575"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/03de4e4f1a0546fdd3b002651851bee9ffe0e11b"],"spl":"2023-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-285645039.json"}},{"package":{"name":"platform/packages/modules/StatsD","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-11-01"}]}],"versions":["12"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"target":{"file":"statsd/src/StatsService.h"},"digest":{"threshold":0.9,"line_hashes":["9560257399028977192882822136888446391","6814727255881169936930416864601371522","95344555408575203031917538580592384557","208613213791790390267597640934962107644","94612942637015893079560201185174185719","149102618012575246417676794546503739423"]},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/e67695fae80d3164f5cd5237ebf1b7a0dbfed6f4","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-09dc6373"},{"target":{"file":"statsd/src/StatsService.cpp"},"digest":{"threshold":0.9,"line_hashes":["162094486690609551357265491806306373800","21343630666638973742897342745690999120","288223269456115365291245602458738083098","148667828061323797183185443430761605895","283245882279883015538077767184721125668","91011422154839185681590367440624013254","228991447056343218450583282699753578122","200991055704848072321835649022205081417","314445733331473514438239458627334934923","290215494774479982526444497481484572928","150837300128228537133125342259255129700","158274056577435042297687633569209542541","335343134791047350178012205680999322642","191751358642596428187797542992949197800","108587633537507210242609878158511307392"]},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/e67695fae80d3164f5cd5237ebf1b7a0dbfed6f4","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-38a49bba"},{"target":{"function":"StatsService::readLogs","file":"statsd/src/StatsService.cpp"},"digest":{"length":222,"function_hash":"190139916014078794201190441593495255888"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/e67695fae80d3164f5cd5237ebf1b7a0dbfed6f4","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-a22d4b2a"},{"target":{"function":"mStatsCompanionServiceDeathRecipient","file":"statsd/src/StatsService.cpp"},"digest":{"length":1584,"function_hash":"74176117800312312752666027285333827045"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/e67695fae80d3164f5cd5237ebf1b7a0dbfed6f4","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-c654231e"},{"target":{"function":"StatsService::~StatsService","file":"statsd/src/StatsService.cpp"},"digest":{"length":37,"function_hash":"290532900627309439606711308425738821162"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/e67695fae80d3164f5cd5237ebf1b7a0dbfed6f4","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-e6cbc6f9"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/packages/modules/StatsD/+/e67695fae80d3164f5cd5237ebf1b7a0dbfed6f4"],"spl":"2023-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-285645039.json"}},{"package":{"name":"platform/packages/modules/StatsD","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-11-01"}]}],"versions":["12L"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"target":{"function":"mStatsCompanionServiceDeathRecipient","file":"statsd/src/StatsService.cpp"},"digest":{"length":1584,"function_hash":"74176117800312312752666027285333827045"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/d3bee21e053401c30a1a5cee5a7ddd2d9fa0463e","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-3ae10a1a"},{"target":{"function":"StatsService::~StatsService","file":"statsd/src/StatsService.cpp"},"digest":{"length":37,"function_hash":"290532900627309439606711308425738821162"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/d3bee21e053401c30a1a5cee5a7ddd2d9fa0463e","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-5cd93382"},{"target":{"function":"StatsService::readLogs","file":"statsd/src/StatsService.cpp"},"digest":{"length":222,"function_hash":"190139916014078794201190441593495255888"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/d3bee21e053401c30a1a5cee5a7ddd2d9fa0463e","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-6335df16"},{"target":{"file":"statsd/src/StatsService.cpp"},"digest":{"threshold":0.9,"line_hashes":["162094486690609551357265491806306373800","21343630666638973742897342745690999120","288223269456115365291245602458738083098","148667828061323797183185443430761605895","283245882279883015538077767184721125668","91011422154839185681590367440624013254","228991447056343218450583282699753578122","200991055704848072321835649022205081417","314445733331473514438239458627334934923","290215494774479982526444497481484572928","150837300128228537133125342259255129700","158274056577435042297687633569209542541","335343134791047350178012205680999322642","191751358642596428187797542992949197800","108587633537507210242609878158511307392"]},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/d3bee21e053401c30a1a5cee5a7ddd2d9fa0463e","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-b24378a7"},{"target":{"file":"statsd/src/StatsService.h"},"digest":{"threshold":0.9,"line_hashes":["9560257399028977192882822136888446391","6814727255881169936930416864601371522","95344555408575203031917538580592384557","208613213791790390267597640934962107644","94612942637015893079560201185174185719","149102618012575246417676794546503739423"]},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/d3bee21e053401c30a1a5cee5a7ddd2d9fa0463e","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-baaf2c19"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/packages/modules/StatsD/+/d3bee21e053401c30a1a5cee5a7ddd2d9fa0463e"],"spl":"2023-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-285645039.json"}},{"package":{"name":"platform/packages/modules/StatsD","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-11-01"}]}],"versions":["13"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"target":{"file":"statsd/src/StatsService.h"},"digest":{"threshold":0.9,"line_hashes":["9560257399028977192882822136888446391","6814727255881169936930416864601371522","95344555408575203031917538580592384557","208613213791790390267597640934962107644","94612942637015893079560201185174185719","149102618012575246417676794546503739423"]},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/8dca7a8e0f241a041ac2e061c0070839aee560ff","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-24b1ceba"},{"target":{"function":"mStatsCompanionServiceDeathRecipient","file":"statsd/src/StatsService.cpp"},"digest":{"length":1932,"function_hash":"150911719169882205645024166510874957982"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/8dca7a8e0f241a041ac2e061c0070839aee560ff","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-2a98aade"},{"target":{"function":"StatsService::~StatsService","file":"statsd/src/StatsService.cpp"},"digest":{"length":37,"function_hash":"290532900627309439606711308425738821162"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/8dca7a8e0f241a041ac2e061c0070839aee560ff","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-a7518c2f"},{"target":{"function":"StatsService::readLogs","file":"statsd/src/StatsService.cpp"},"digest":{"length":222,"function_hash":"190139916014078794201190441593495255888"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/8dca7a8e0f241a041ac2e061c0070839aee560ff","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-b4c7688d"},{"target":{"file":"statsd/src/StatsService.cpp"},"digest":{"threshold":0.9,"line_hashes":["162094486690609551357265491806306373800","21343630666638973742897342745690999120","288223269456115365291245602458738083098","148667828061323797183185443430761605895","283245882279883015538077767184721125668","91011422154839185681590367440624013254","228991447056343218450583282699753578122","200991055704848072321835649022205081417","314445733331473514438239458627334934923","290215494774479982526444497481484572928","150837300128228537133125342259255129700","158274056577435042297687633569209542541","335343134791047350178012205680999322642","191751358642596428187797542992949197800","108587633537507210242609878158511307392"]},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/8dca7a8e0f241a041ac2e061c0070839aee560ff","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-d7c42036"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/packages/modules/StatsD/+/8dca7a8e0f241a041ac2e061c0070839aee560ff"],"spl":"2023-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-285645039.json"}},{"package":{"name":"platform/packages/modules/StatsD","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2023-11-01"}]}],"versions":["14"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"target":{"file":"statsd/src/StatsService.cpp"},"digest":{"threshold":0.9,"line_hashes":["162094486690609551357265491806306373800","21343630666638973742897342745690999120","288223269456115365291245602458738083098","148667828061323797183185443430761605895","283245882279883015538077767184721125668","91011422154839185681590367440624013254","228991447056343218450583282699753578122","200991055704848072321835649022205081417","314445733331473514438239458627334934923","290215494774479982526444497481484572928","150837300128228537133125342259255129700","158274056577435042297687633569209542541","299056411393582019832200088668149889192","108587633537507210242609878158511307392","108587633537507210242609878158511307392"]},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/c578fa427fea745fd4555ee23d5642a1d2cd0ce3","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-02c1fe38"},{"target":{"function":"mInitEventDelaySecs","file":"statsd/src/StatsService.cpp"},"digest":{"length":2510,"function_hash":"122149015475048257650068008049466191562"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/c578fa427fea745fd4555ee23d5642a1d2cd0ce3","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-225fa4c3"},{"target":{"file":"statsd/src/StatsService.h"},"digest":{"threshold":0.9,"line_hashes":["24938293731554636473098398205316056354","18944739092555810520413270013999179633","62673561178611369184800734059699398735","107651199482235546255415669659835414516","15664087137759784019850001285856476293","52788991262695293056646716387794235053"]},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/c578fa427fea745fd4555ee23d5642a1d2cd0ce3","signature_version":"v1","signature_type":"Line","id":"ASB-A-285645039-4a816df9"},{"target":{"function":"StatsService::~StatsService","file":"statsd/src/StatsService.cpp"},"digest":{"length":37,"function_hash":"290532900627309439606711308425738821162"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/c578fa427fea745fd4555ee23d5642a1d2cd0ce3","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-537165a9"},{"target":{"function":"StatsService::readLogs","file":"statsd/src/StatsService.cpp"},"digest":{"length":222,"function_hash":"190139916014078794201190441593495255888"},"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/StatsD/+/c578fa427fea745fd4555ee23d5642a1d2cd0ce3","signature_version":"v1","signature_type":"Function","id":"ASB-A-285645039-f8e3caeb"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/packages/modules/StatsD/+/c578fa427fea745fd4555ee23d5642a1d2cd0ce3"],"spl":"2023-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-285645039.json"}}],"schema_version":"1.7.5"}