{"id":"ASB-A-294609150","details":"In multiple functions of ashmem-dev.cpp, there is a possible missing seal due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-294609150","CVE-2024-0033"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2024-02-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-02-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/native/+/aa98edf0ce9dde4886979658a459900ca987f193"},{"type":"FIX","url":"https://android.googlesource.com/platform/system/core/+/46d46dc46446f14f26fbe8fb102dd36c1dfc1229"}],"affected":[{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-02-01"}]}],"versions":["14-next"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","signature_version":"v1","id":"ASB-A-294609150-58741196","target":{"file":"libs/binder/MemoryHeapBase.cpp"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["218321599948717590714487254783163945621","45588506461727005894535084985380218720","124855805480593868214252434885215660663","304130721794607915852323038872467968267","323667575840971434249975967998125264912"]},"source":"https://android.googlesource.com/platform/frameworks/native/+/3d9f1e3b0a135b784b9ffa0e65d6a699c7ed1f8e"},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-294609150-fb3091e1","target":{"function":"MemoryHeapBase::MemoryHeapBase","file":"libs/binder/MemoryHeapBase.cpp"},"deprecated":false,"digest":{"function_hash":"187671776888294417156935036257939364166","length":1361},"source":"https://android.googlesource.com/platform/frameworks/native/+/3d9f1e3b0a135b784b9ffa0e65d6a699c7ed1f8e"}],"spl":"2024-02-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/3d9f1e3b0a135b784b9ffa0e65d6a699c7ed1f8e"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-294609150.json"}},{"package":{"name":"platform/system/core","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-02-01"}]}],"versions":["14-next"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","target":{"file":"libcutils/ashmem-dev.cpp"},"id":"ASB-A-294609150-6b722d23","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["261156310786695644581642584175879933835","180811507382681509562895906386789842283","207842613690740056545347470374413932687","191196209844926916100865936626187733986","235807140696617410489558382673550515034","162574758249669744246306361414159655520","101840385824538227903280020879843624924","117185873691115811326861917347887040936","324678747457288162797933506071644273953","299325987141489419938834652528185645879","309801869721460638901119034333604737846","73966523449701301462376068364524983548"]},"source":"https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0"},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-294609150-72f80b7a","target":{"function":"memfd_set_prot_region","file":"libcutils/ashmem-dev.cpp"},"deprecated":false,"digest":{"function_hash":"113970752469977986086479737717709044364","length":316},"source":"https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0"},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-294609150-a175e426","target":{"function":"memfd_create_region","file":"libcutils/ashmem-dev.cpp"},"deprecated":false,"digest":{"function_hash":"291495214528864181825778639720026738285","length":573},"source":"https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0"}],"spl":"2024-02-01","severity":"High","fixes":["https://android.googlesource.com/platform/system/core/+/f83c5c8fecf89d9315945368aa20350c2f235cc0"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-294609150.json"}},{"package":{"name":"platform/system/core","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2024-02-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Function","target":{"function":"memfd_set_prot_region","file":"libcutils/ashmem-dev.cpp"},"id":"ASB-A-294609150-269ceb79","signature_version":"v1","deprecated":false,"digest":{"function_hash":"113970752469977986086479737717709044364","length":316},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"},{"signature_type":"Line","target":{"file":"libcutils/ashmem-dev.cpp"},"id":"ASB-A-294609150-a701bf38","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["261156310786695644581642584175879933835","180811507382681509562895906386789842283","207842613690740056545347470374413932687","191196209844926916100865936626187733986","235807140696617410489558382673550515034","162574758249669744246306361414159655520","101840385824538227903280020879843624924","117185873691115811326861917347887040936","324678747457288162797933506071644273953","299325987141489419938834652528185645879","309801869721460638901119034333604737846","73966523449701301462376068364524983548"]},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"},{"signature_type":"Function","target":{"function":"memfd_create_region","file":"libcutils/ashmem-dev.cpp"},"id":"ASB-A-294609150-f00b7765","signature_version":"v1","deprecated":false,"digest":{"function_hash":"195215426006106713982080118962166354165","length":559},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"}],"spl":"2024-02-01","severity":"High","fixes":["https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-294609150.json"}},{"package":{"name":"platform/system/core","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2024-02-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Function","target":{"function":"memfd_create_region","file":"libcutils/ashmem-dev.cpp"},"id":"ASB-A-294609150-0bced3c9","signature_version":"v1","deprecated":false,"digest":{"function_hash":"195215426006106713982080118962166354165","length":559},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-294609150-368122f0","target":{"function":"memfd_set_prot_region","file":"libcutils/ashmem-dev.cpp"},"deprecated":false,"digest":{"function_hash":"113970752469977986086479737717709044364","length":316},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"},{"signature_type":"Line","signature_version":"v1","id":"ASB-A-294609150-8d7535b2","target":{"file":"libcutils/ashmem-dev.cpp"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["261156310786695644581642584175879933835","180811507382681509562895906386789842283","207842613690740056545347470374413932687","191196209844926916100865936626187733986","235807140696617410489558382673550515034","162574758249669744246306361414159655520","101840385824538227903280020879843624924","117185873691115811326861917347887040936","324678747457288162797933506071644273953","299325987141489419938834652528185645879","309801869721460638901119034333604737846","73966523449701301462376068364524983548"]},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"}],"spl":"2024-02-01","severity":"High","fixes":["https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-294609150.json"}},{"package":{"name":"platform/system/core","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2024-02-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","signature_version":"v1","id":"ASB-A-294609150-571df3c0","target":{"file":"libcutils/ashmem-dev.cpp"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["261156310786695644581642584175879933835","180811507382681509562895906386789842283","207842613690740056545347470374413932687","191196209844926916100865936626187733986","235807140696617410489558382673550515034","162574758249669744246306361414159655520","101840385824538227903280020879843624924","117185873691115811326861917347887040936","324678747457288162797933506071644273953","299325987141489419938834652528185645879","309801869721460638901119034333604737846","73966523449701301462376068364524983548"]},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"},{"signature_type":"Function","target":{"function":"memfd_create_region","file":"libcutils/ashmem-dev.cpp"},"id":"ASB-A-294609150-b412d294","signature_version":"v1","deprecated":false,"digest":{"function_hash":"195215426006106713982080118962166354165","length":559},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-294609150-ef4af1bd","target":{"function":"memfd_set_prot_region","file":"libcutils/ashmem-dev.cpp"},"deprecated":false,"digest":{"function_hash":"113970752469977986086479737717709044364","length":316},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"}],"spl":"2024-02-01","severity":"High","fixes":["https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-294609150.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-02-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","signature_version":"v1","id":"ASB-A-294609150-94e818ec","target":{"file":"libs/binder/MemoryHeapBase.cpp"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["218321599948717590714487254783163945621","34036627689076654165346954968650927935","177528396368070132329863857794330917805","135261448792827151031508216050454184951","321031115397245363340750465791525223961"]},"source":"https://android.googlesource.com/platform/frameworks/native/+/f2c1d9d28083fdcba53f346bba5289e72bc4be49"},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-294609150-ac2ad346","target":{"function":"MemoryHeapBase::MemoryHeapBase","file":"libs/binder/MemoryHeapBase.cpp"},"deprecated":false,"digest":{"function_hash":"167039174744814058412077865357774448779","length":1454},"source":"https://android.googlesource.com/platform/frameworks/native/+/f2c1d9d28083fdcba53f346bba5289e72bc4be49"}],"spl":"2024-02-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/f2c1d9d28083fdcba53f346bba5289e72bc4be49"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-294609150.json"}},{"package":{"name":"platform/system/core","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-02-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","target":{"file":"libcutils/ashmem-dev.cpp"},"id":"ASB-A-294609150-5be709b1","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["261156310786695644581642584175879933835","180811507382681509562895906386789842283","207842613690740056545347470374413932687","191196209844926916100865936626187733986","235807140696617410489558382673550515034","162574758249669744246306361414159655520","101840385824538227903280020879843624924","117185873691115811326861917347887040936","324678747457288162797933506071644273953","299325987141489419938834652528185645879","309801869721460638901119034333604737846","73966523449701301462376068364524983548"]},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"},{"signature_type":"Function","target":{"function":"memfd_create_region","file":"libcutils/ashmem-dev.cpp"},"id":"ASB-A-294609150-61680bca","signature_version":"v1","deprecated":false,"digest":{"function_hash":"195215426006106713982080118962166354165","length":559},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-294609150-6e720e7d","target":{"function":"memfd_set_prot_region","file":"libcutils/ashmem-dev.cpp"},"deprecated":false,"digest":{"function_hash":"113970752469977986086479737717709044364","length":316},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"}],"spl":"2024-02-01","severity":"High","fixes":["https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-294609150.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-02-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","target":{"file":"libs/binder/MemoryHeapBase.cpp"},"id":"ASB-A-294609150-3e4f4ab8","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["218321599948717590714487254783163945621","45588506461727005894535084985380218720","124855805480593868214252434885215660663","304130721794607915852323038872467968267","323667575840971434249975967998125264912"]},"source":"https://android.googlesource.com/platform/frameworks/native/+/77b758c59f58a05d1c0d45350796951bc778745f"},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-294609150-f61a0fb0","target":{"function":"MemoryHeapBase::MemoryHeapBase","file":"libs/binder/MemoryHeapBase.cpp"},"deprecated":false,"digest":{"function_hash":"41683057875052563667609673171350457900","length":1343},"source":"https://android.googlesource.com/platform/frameworks/native/+/77b758c59f58a05d1c0d45350796951bc778745f"}],"spl":"2024-02-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/77b758c59f58a05d1c0d45350796951bc778745f"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-294609150.json"}},{"package":{"name":"platform/system/core","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-02-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","signature_version":"v1","id":"ASB-A-294609150-533436e9","target":{"file":"libcutils/ashmem-dev.cpp"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["261156310786695644581642584175879933835","180811507382681509562895906386789842283","207842613690740056545347470374413932687","191196209844926916100865936626187733986","235807140696617410489558382673550515034","162574758249669744246306361414159655520","101840385824538227903280020879843624924","117185873691115811326861917347887040936","324678747457288162797933506071644273953","299325987141489419938834652528185645879","309801869721460638901119034333604737846","73966523449701301462376068364524983548"]},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-294609150-803ad71a","target":{"function":"memfd_create_region","file":"libcutils/ashmem-dev.cpp"},"deprecated":false,"digest":{"function_hash":"195215426006106713982080118962166354165","length":559},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"},{"signature_type":"Function","target":{"function":"memfd_set_prot_region","file":"libcutils/ashmem-dev.cpp"},"id":"ASB-A-294609150-b5b7a8c1","signature_version":"v1","deprecated":false,"digest":{"function_hash":"113970752469977986086479737717709044364","length":316},"source":"https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"}],"spl":"2024-02-01","severity":"High","fixes":["https://android.googlesource.com/platform/system/core/+/61a2897733e15a12b7aa2dfd99957e83cbe59351"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-294609150.json"}}],"schema_version":"1.7.5"}