{"id":"ASB-A-343129193","details":"In afterKeyEventLockedInterruptable of InputDispatcher.cpp, there is a possible use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-343129193","CVE-2025-22438"],"modified":"2026-05-15T15:01:37.959123Z","published":"2025-04-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-04-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/native/+/7ac747cb442d382c74a18d26268b7fc3751537ce"}],"affected":[{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-04-01"}]}],"versions":["15-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/f50323a1538fc8da33a14c8ab2ee2fb02d45123d"],"types":["EoP"],"spl":"2025-04-01","severity":"High","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["159950434618348112404932011639717993461","251130068874848152702911342011700018883","309812315689813296124793857319445553897","15934354529885839375344483533599180617","62680452322183389739726380967039958689"]},"id":"ASB-A-343129193-5e1f7d80","source":"https://android.googlesource.com/platform/frameworks/native/+/f50323a1538fc8da33a14c8ab2ee2fb02d45123d","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/inputflinger/dispatcher/InputDispatcher.h"}},{"digest":{"threshold":0.9,"line_hashes":["61502333314370103843416371831218019802","314887369145907602544610540580087213926","168096329763800169256753337301089531858","215016755901017524291322424868536938609","176037456883284026596768622789456098024","146278807053206681978306063124517250187","139354320051460634143866674216200923065","249483770489795114692900078966443136953","271514243130603046841709439448686126493","82883045109327363599492473515553307989","255238664264302092769458344523427464961","157303547835243705845294797500724544186","216439939200780513788982247478599435334","130522391484650342421286630129945237154","62519116189107506113068093593709649779"]},"id":"ASB-A-343129193-84955ea6","source":"https://android.googlesource.com/platform/frameworks/native/+/f50323a1538fc8da33a14c8ab2ee2fb02d45123d","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/inputflinger/dispatcher/InputDispatcher.cpp"}},{"digest":{"length":2015,"function_hash":"157793954941330305983208832721457139567"},"id":"ASB-A-343129193-973f9c64","source":"https://android.googlesource.com/platform/frameworks/native/+/f50323a1538fc8da33a14c8ab2ee2fb02d45123d","signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"function":"InputDispatcher::doDispatchCycleFinishedCommand","file":"services/inputflinger/dispatcher/InputDispatcher.cpp"}},{"digest":{"length":5181,"function_hash":"7225614367579260001138295715854138188"},"id":"ASB-A-343129193-ffa60070","source":"https://android.googlesource.com/platform/frameworks/native/+/f50323a1538fc8da33a14c8ab2ee2fb02d45123d","signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"function":"InputDispatcher::afterKeyEventLockedInterruptable","file":"services/inputflinger/dispatcher/InputDispatcher.cpp"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-343129193.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-04-01"}]}],"versions":["13"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/7d7ac480ba006cff1f64eef416bb53f29ef9a146"],"types":["EoP"],"spl":"2025-04-01","severity":"High","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["149557283037914210267265552861268837594","275561151031896725076089099864207847282","189049331956307362867007562768652933814","190614335634123759904063618450949681247"]},"id":"ASB-A-343129193-790e1982","source":"https://android.googlesource.com/platform/frameworks/native/+/7d7ac480ba006cff1f64eef416bb53f29ef9a146","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/inputflinger/dispatcher/InputDispatcher.h"}},{"digest":{"length":1761,"function_hash":"183201712386919302288253379804327848145"},"id":"ASB-A-343129193-8d5df45c","source":"https://android.googlesource.com/platform/frameworks/native/+/7d7ac480ba006cff1f64eef416bb53f29ef9a146","signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"function":"InputDispatcher::doDispatchCycleFinishedCommand","file":"services/inputflinger/dispatcher/InputDispatcher.cpp"}},{"digest":{"length":4910,"function_hash":"77924214385883978679576738862022832706"},"id":"ASB-A-343129193-a4290a92","source":"https://android.googlesource.com/platform/frameworks/native/+/7d7ac480ba006cff1f64eef416bb53f29ef9a146","signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"function":"InputDispatcher::afterKeyEventLockedInterruptable","file":"services/inputflinger/dispatcher/InputDispatcher.cpp"}},{"digest":{"threshold":0.9,"line_hashes":["272916813047980256495446035476821482710","115611667400971894042403805396031379684","184896813638000907700655104704207320393","82396840426590864152422714726096882536","106038658224156774864421599958279043439","254369307048575448236416401537424528722","212669589425799752893066239503814864054","17594782324114365445650127406578693683","46746022327974272649862099992470591370","150244651663760367568352411127777084464","195772785205490978077467148072709586785","145459749775824226004547072647237692224","180736064032880293857127638477990782434","319360596727576648455008791876136892903"]},"id":"ASB-A-343129193-f94eeb81","source":"https://android.googlesource.com/platform/frameworks/native/+/7d7ac480ba006cff1f64eef416bb53f29ef9a146","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/inputflinger/dispatcher/InputDispatcher.cpp"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-343129193.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-04-01"}]}],"versions":["14"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/f68fc4c5751d08fdd29488e6c0394efce579cc54"],"types":["EoP"],"spl":"2025-04-01","severity":"High","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["311380928505758434940509306963907185276","157809458925321809625484371393788931803","273994770666812008232124080381606098536","141686357255351520892512436530105755427","193700556358493602684515138268684311286"]},"id":"ASB-A-343129193-1dd1aaa4","source":"https://android.googlesource.com/platform/frameworks/native/+/f68fc4c5751d08fdd29488e6c0394efce579cc54","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/inputflinger/dispatcher/InputDispatcher.h"}},{"digest":{"threshold":0.9,"line_hashes":["272916813047980256495446035476821482710","115611667400971894042403805396031379684","184896813638000907700655104704207320393","82396840426590864152422714726096882536","106038658224156774864421599958279043439","254369307048575448236416401537424528722","32102506703905871314638477234965878822","309651948326085143552886416580848939070","38232731063149067540540954595402249261","16998214873056964133155171387118138896","150244651663760367568352411127777084464","195772785205490978077467148072709586785","214956365742103488989034057071775574880","108889988987790899425804914581334788099","161585016218405061492474320011527773105"]},"id":"ASB-A-343129193-855c4e00","source":"https://android.googlesource.com/platform/frameworks/native/+/f68fc4c5751d08fdd29488e6c0394efce579cc54","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/inputflinger/dispatcher/InputDispatcher.cpp"}},{"digest":{"length":4980,"function_hash":"95720688057429602834626482160242287409"},"id":"ASB-A-343129193-ba4e8e97","source":"https://android.googlesource.com/platform/frameworks/native/+/f68fc4c5751d08fdd29488e6c0394efce579cc54","signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"function":"InputDispatcher::afterKeyEventLockedInterruptable","file":"services/inputflinger/dispatcher/InputDispatcher.cpp"}},{"digest":{"length":1761,"function_hash":"183201712386919302288253379804327848145"},"id":"ASB-A-343129193-e9b2535c","source":"https://android.googlesource.com/platform/frameworks/native/+/f68fc4c5751d08fdd29488e6c0394efce579cc54","signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"function":"InputDispatcher::doDispatchCycleFinishedCommand","file":"services/inputflinger/dispatcher/InputDispatcher.cpp"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-343129193.json"}}],"schema_version":"1.7.5"}