{"id":"ASB-A-377672115","details":"In multiple functions of mremap.c, there is a possible use-after-free scenario in physical memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-377672115","CVE-2025-0088"],"modified":"2026-04-22T14:59:17.843400Z","published":"2025-02-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-02-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/f913f0123e6cff4dbc7c1e17d13b7a59a54475d2"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/bce004fba8be9e1bb575301f398b3ecc27ba42de"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2025-02-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"deprecated":true,"target":{"function":"trylock_vma_ref_count","file":"mm/mremap.c"},"id":"ASB-A-377672115-029c703d","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/f913f0123e6cff4dbc7c1e17d13b7a59a54475d2","digest":{"length":64,"function_hash":"89005354327067945853519684375956017931"}},{"deprecated":false,"target":{"file":"mm/mremap.c"},"id":"ASB-A-377672115-0c85309b","signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/bce004fba8be9e1bb575301f398b3ecc27ba42de","digest":{"line_hashes":["42797392494937158650355481991368978824","70578576587602961694043132551032985367","85871555903152038420517338934574066290","40300584947028607554305810739097275190","5426035947856368807581366380697496740","200506263781036578600989206180812294133","15988042282469977785253196155781412501","294170071576911363250042612665746903356","302022995094002775671732453889410562132","65785686690648809501617130737915359820","36324807517991436534608711174707398036","226640338742035864286972555826839567618","21069059154758008581973228760411561663","286318326631406340822087157363773349524","144699475404878957895704382154986588803","103283450558503344446433029724229318601","20219912921545860973126733485099336288","152344660179782338041864422653054914033","79927287083165520605533684903091717403","109340300148154360881385519137722313356","233104647185192125873695363470633481807","326876978524968313354133912895249077900","137557750825714246603947329889087201491","32233292796026853021320626533547726959","151222702089990596386662302705211747106","59301673601804744060000440212161599677","158003781017385672081172246064266535284","242258502374602303592760094049820635622","293222593432051175845947980341807992850","71122669304717087107267440898460425128","172520243452005976952658450047634595548","137586252339255593434059259461491086792","237248396711025993060957199662747119659","317771891073009677934926914300591273159","129480203548215297214611732029116557364","182936738225258363469159966706209988930","139535717722966595369526164561184409854","164210822877810058603443836170701940110","203085823583401697181528265146254406453","180067813262619704111519734352372418009","35528738709137646220385954203694285999","211376103467546214143520485085571929348","106682404611858104925717942904879551543","324131300247421353052654732280695566387","324862420182178577650750048117105568843","1228260130139878720329556233712426866","274284880338793595387743666369373837552","128738172722948940816731002079111712949","181781043165796458705912316752845643911","132611154650509369931928959445614052019","88161700639814895559913947043776269841","81625688981858205294951127328772885772","180067813262619704111519734352372418009","35528738709137646220385954203694285999","211376103467546214143520485085571929348","106682404611858104925717942904879551543"],"threshold":0.9}},{"deprecated":false,"target":{"function":"move_normal_pud","file":"mm/mremap.c"},"id":"ASB-A-377672115-2231cc1b","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/bce004fba8be9e1bb575301f398b3ecc27ba42de","digest":{"length":721,"function_hash":"161154478247790485708517161515094541607"}},{"deprecated":false,"target":{"function":"move_normal_pmd","file":"mm/mremap.c"},"id":"ASB-A-377672115-2928c2c0","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/f913f0123e6cff4dbc7c1e17d13b7a59a54475d2","digest":{"length":721,"function_hash":"53041499849613438495804034995043984480"}},{"deprecated":false,"target":{"function":"move_normal_pud","file":"mm/mremap.c"},"id":"ASB-A-377672115-2d2ed8c0","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/f913f0123e6cff4dbc7c1e17d13b7a59a54475d2","digest":{"length":721,"function_hash":"161154478247790485708517161515094541607"}},{"deprecated":true,"target":{"function":"unlock_vma_ref_count","file":"mm/mremap.c"},"id":"ASB-A-377672115-37b76e4d","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/f913f0123e6cff4dbc7c1e17d13b7a59a54475d2","digest":{"length":141,"function_hash":"242559038692532997653264190517254022438"}},{"deprecated":true,"target":{"function":"trylock_vma_ref_count","file":"mm/mremap.c"},"id":"ASB-A-377672115-4c514394","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/f913f0123e6cff4dbc7c1e17d13b7a59a54475d2","digest":{"length":113,"function_hash":"319355426502537965485581710589111492149"}},{"deprecated":false,"target":{"function":"move_normal_pmd","file":"mm/mremap.c"},"id":"ASB-A-377672115-5b791fd4","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/bce004fba8be9e1bb575301f398b3ecc27ba42de","digest":{"length":721,"function_hash":"53041499849613438495804034995043984480"}},{"deprecated":true,"target":{"function":"unlock_vma_ref_count","file":"mm/mremap.c"},"id":"ASB-A-377672115-60ed7274","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/f913f0123e6cff4dbc7c1e17d13b7a59a54475d2","digest":{"length":50,"function_hash":"250457195752860052248867923284680444418"}},{"deprecated":true,"target":{"function":"unlock_vma_ref_count","file":"mm/mremap.c"},"id":"ASB-A-377672115-66f8e651","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/bce004fba8be9e1bb575301f398b3ecc27ba42de","digest":{"length":50,"function_hash":"250457195752860052248867923284680444418"}},{"deprecated":false,"target":{"file":"mm/mremap.c"},"id":"ASB-A-377672115-787c93b3","signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/f913f0123e6cff4dbc7c1e17d13b7a59a54475d2","digest":{"line_hashes":["42797392494937158650355481991368978824","70578576587602961694043132551032985367","85871555903152038420517338934574066290","40300584947028607554305810739097275190","5426035947856368807581366380697496740","200506263781036578600989206180812294133","15988042282469977785253196155781412501","294170071576911363250042612665746903356","302022995094002775671732453889410562132","65785686690648809501617130737915359820","36324807517991436534608711174707398036","226640338742035864286972555826839567618","21069059154758008581973228760411561663","286318326631406340822087157363773349524","144699475404878957895704382154986588803","103283450558503344446433029724229318601","20219912921545860973126733485099336288","152344660179782338041864422653054914033","79927287083165520605533684903091717403","109340300148154360881385519137722313356","233104647185192125873695363470633481807","326876978524968313354133912895249077900","137557750825714246603947329889087201491","32233292796026853021320626533547726959","151222702089990596386662302705211747106","59301673601804744060000440212161599677","158003781017385672081172246064266535284","242258502374602303592760094049820635622","293222593432051175845947980341807992850","71122669304717087107267440898460425128","172520243452005976952658450047634595548","137586252339255593434059259461491086792","237248396711025993060957199662747119659","317771891073009677934926914300591273159","129480203548215297214611732029116557364","182936738225258363469159966706209988930","139535717722966595369526164561184409854","164210822877810058603443836170701940110","203085823583401697181528265146254406453","180067813262619704111519734352372418009","35528738709137646220385954203694285999","211376103467546214143520485085571929348","106682404611858104925717942904879551543","324131300247421353052654732280695566387","324862420182178577650750048117105568843","1228260130139878720329556233712426866","274284880338793595387743666369373837552","128738172722948940816731002079111712949","181781043165796458705912316752845643911","132611154650509369931928959445614052019","88161700639814895559913947043776269841","81625688981858205294951127328772885772","180067813262619704111519734352372418009","35528738709137646220385954203694285999","211376103467546214143520485085571929348","106682404611858104925717942904879551543"],"threshold":0.9}},{"deprecated":true,"target":{"function":"trylock_vma_ref_count","file":"mm/mremap.c"},"id":"ASB-A-377672115-9f44a9f9","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/bce004fba8be9e1bb575301f398b3ecc27ba42de","digest":{"length":113,"function_hash":"319355426502537965485581710589111492149"}},{"deprecated":true,"target":{"function":"unlock_vma_ref_count","file":"mm/mremap.c"},"id":"ASB-A-377672115-c450a2b2","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/bce004fba8be9e1bb575301f398b3ecc27ba42de","digest":{"length":141,"function_hash":"242559038692532997653264190517254022438"}},{"deprecated":true,"target":{"function":"trylock_vma_ref_count","file":"mm/mremap.c"},"id":"ASB-A-377672115-fd7d0dc1","signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/bce004fba8be9e1bb575301f398b3ecc27ba42de","digest":{"length":64,"function_hash":"89005354327067945853519684375956017931"}}],"types":["EoP"],"fixes":["https://android.googlesource.com/kernel/common/+/f913f0123e6cff4dbc7c1e17d13b7a59a54475d2","https://android.googlesource.com/kernel/common/+/bce004fba8be9e1bb575301f398b3ecc27ba42de"],"spl":"2025-02-05"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-377672115.json"}}],"schema_version":"1.7.5"}