{"id":"ASB-A-299123598","details":"In unix_stream_sendpage of af_unix.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-299123598","CVE-2023-4622"],"modified":"2026-04-10T16:16:18.068628Z","published":"2024-05-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-05-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/e6ed59127c865"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/790c2f9d15b59"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/84d3e59750bbd"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/d39fc9b94dc07"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2024-05-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"severity":"High","spl":"2024-05-05","types":["EoP"],"fixes":["https://android.googlesource.com/kernel/common/+/e6ed59127c865","https://android.googlesource.com/kernel/common/+/790c2f9d15b59","https://android.googlesource.com/kernel/common/+/84d3e59750bbd","https://android.googlesource.com/kernel/common/+/d39fc9b94dc07"],"vanir_signatures":[{"digest":{"length":2118,"function_hash":"74578476663412431466883751391350733343"},"signature_type":"Function","target":{"function":"unix_stream_sendpage","file":"net/unix/af_unix.c"},"signature_version":"v1","deprecated":false,"id":"ASB-A-299123598-00d992af","source":"https://android.googlesource.com/kernel/common/+/d39fc9b94dc07"},{"digest":{"line_hashes":["248950612756612724065093709972738325357","279144108549210949441020903890615322329","16220953337162752779916020803348486468","203654826256204033757231210560604153267","260522720799231029387729392220418790987","86655572250296221835706980117084759542","322983119535394844659808779319684898409","30135840773779090171591045457747543630","291436812016123704043265508278090069461","166185117026504118168859716872522459700","30516924935334657074735959066607922916","166699174247796674368467584101246118722","175578990280298867692057496702032737660","207591957364424589282195218120637294974","152852358735968692568757231492658828030","137510011422766836065820052306096440041","241416977303368234603546312521807009668"],"threshold":0.9},"signature_type":"Line","target":{"file":"net/unix/af_unix.c"},"signature_version":"v1","deprecated":false,"id":"ASB-A-299123598-4f5d4535","source":"https://android.googlesource.com/kernel/common/+/d39fc9b94dc07"},{"digest":{"line_hashes":["248950612756612724065093709972738325357","279144108549210949441020903890615322329","16220953337162752779916020803348486468","203654826256204033757231210560604153267","260522720799231029387729392220418790987","86655572250296221835706980117084759542","322983119535394844659808779319684898409","30135840773779090171591045457747543630","291436812016123704043265508278090069461","166185117026504118168859716872522459700","30516924935334657074735959066607922916","166699174247796674368467584101246118722","175578990280298867692057496702032737660","207591957364424589282195218120637294974","152852358735968692568757231492658828030","137510011422766836065820052306096440041","241416977303368234603546312521807009668"],"threshold":0.9},"signature_type":"Line","target":{"file":"net/unix/af_unix.c"},"signature_version":"v1","deprecated":false,"id":"ASB-A-299123598-569f3979","source":"https://android.googlesource.com/kernel/common/+/84d3e59750bbd"},{"digest":{"length":2118,"function_hash":"74578476663412431466883751391350733343"},"signature_type":"Function","target":{"function":"unix_stream_sendpage","file":"net/unix/af_unix.c"},"signature_version":"v1","deprecated":false,"id":"ASB-A-299123598-6c337f83","source":"https://android.googlesource.com/kernel/common/+/790c2f9d15b59"},{"digest":{"line_hashes":["248950612756612724065093709972738325357","279144108549210949441020903890615322329","16220953337162752779916020803348486468","203654826256204033757231210560604153267","260522720799231029387729392220418790987","86655572250296221835706980117084759542","322983119535394844659808779319684898409","30135840773779090171591045457747543630","291436812016123704043265508278090069461","166185117026504118168859716872522459700","30516924935334657074735959066607922916","166699174247796674368467584101246118722","175578990280298867692057496702032737660","207591957364424589282195218120637294974","152852358735968692568757231492658828030","137510011422766836065820052306096440041","241416977303368234603546312521807009668"],"threshold":0.9},"signature_type":"Line","target":{"file":"net/unix/af_unix.c"},"signature_version":"v1","deprecated":false,"id":"ASB-A-299123598-8be56e5e","source":"https://android.googlesource.com/kernel/common/+/790c2f9d15b59"},{"digest":{"line_hashes":["248950612756612724065093709972738325357","279144108549210949441020903890615322329","16220953337162752779916020803348486468","203654826256204033757231210560604153267","260522720799231029387729392220418790987","86655572250296221835706980117084759542","322983119535394844659808779319684898409","30135840773779090171591045457747543630","291436812016123704043265508278090069461","166185117026504118168859716872522459700","30516924935334657074735959066607922916","166699174247796674368467584101246118722","175578990280298867692057496702032737660","207591957364424589282195218120637294974","152852358735968692568757231492658828030","137510011422766836065820052306096440041","241416977303368234603546312521807009668"],"threshold":0.9},"signature_type":"Line","target":{"file":"net/unix/af_unix.c"},"signature_version":"v1","deprecated":false,"id":"ASB-A-299123598-8ee8e9ea","source":"https://android.googlesource.com/kernel/common/+/e6ed59127c865"},{"digest":{"length":2118,"function_hash":"74578476663412431466883751391350733343"},"signature_type":"Function","target":{"function":"unix_stream_sendpage","file":"net/unix/af_unix.c"},"signature_version":"v1","deprecated":false,"id":"ASB-A-299123598-aadcf96a","source":"https://android.googlesource.com/kernel/common/+/84d3e59750bbd"},{"digest":{"length":2118,"function_hash":"74578476663412431466883751391350733343"},"signature_type":"Function","target":{"function":"unix_stream_sendpage","file":"net/unix/af_unix.c"},"signature_version":"v1","deprecated":false,"id":"ASB-A-299123598-f97e8ab2","source":"https://android.googlesource.com/kernel/common/+/e6ed59127c865"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-299123598.json"}}],"schema_version":"1.7.5"}