{"id":"ASB-A-432728472","details":"In tls_rx_msg_size of tls_sw.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-432728472","A-446648770","ASB-A-446648770","CVE-2025-39946"],"modified":"2026-05-27T15:53:17.428190120Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a5"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2026-03-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","deprecated":false,"target":{"function":"tls_strp_read_sock","file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","digest":{"function_hash":"153434889485638265871577548869593617670","length":694},"signature_type":"Function","id":"ASB-A-432728472-01516fff"},{"signature_version":"v1","deprecated":false,"target":{"function":"tls_strp_abort_strp","file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a5","digest":{"function_hash":"73899250446012620206950543049773955899","length":202},"signature_type":"Function","id":"ASB-A-432728472-037acb08"},{"signature_version":"v1","deprecated":false,"target":{"function":"tls_strp_copyin_frag","file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a5","digest":{"function_hash":"14736950894827631867549102320191922726","length":1305},"signature_type":"Function","id":"ASB-A-432728472-19b82f1e"},{"signature_version":"v1","deprecated":false,"target":{"function":"tls_strp_read_sock","file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","digest":{"function_hash":"48348692865488476052042763323118805048","length":681},"signature_type":"Function","id":"ASB-A-432728472-3d02bf22"},{"signature_version":"v1","deprecated":false,"target":{"function":"tls_rx_msg_size","file":"net/tls/tls_sw.c"},"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","digest":{"function_hash":"80210314256187194721452425538351763738","length":1209},"signature_type":"Function","id":"ASB-A-432728472-3f450019"},{"signature_version":"v1","deprecated":false,"target":{"function":"tls_strp_abort_strp","file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","digest":{"function_hash":"73899250446012620206950543049773955899","length":202},"signature_type":"Function","id":"ASB-A-432728472-548e5f56"},{"signature_version":"v1","deprecated":false,"target":{"file":"net/tls/tls.h"},"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a5","digest":{"threshold":0.9,"line_hashes":["167319612760302190586015343449827245489","114835205123262800226261142064048450240","27954908737744688539567304471312715351","164201152866963214840408218986501627918"]},"signature_type":"Line","id":"ASB-A-432728472-6590ed20"},{"signature_version":"v1","deprecated":false,"target":{"file":"net/tls/tls.h"},"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","digest":{"threshold":0.9,"line_hashes":["167319612760302190586015343449827245489","249219786354491397621364679998475272102","150993359548527104535124589494448364847","134789658902575227106705782654316408187"]},"id":"ASB-A-432728472-6e7ee497","signature_type":"Line"},{"signature_version":"v1","deprecated":false,"target":{"function":"tls_strp_copyin_frag","file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","digest":{"function_hash":"14736950894827631867549102320191922726","length":1305},"signature_type":"Function","id":"ASB-A-432728472-76722a05"},{"signature_version":"v1","deprecated":false,"target":{"file":"net/tls/tls_sw.c"},"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","digest":{"threshold":0.9,"line_hashes":["259352220024315208510789459129187146363","70821024282919158246521290310114840820","257139970137432328844216514013311298012","273441906032623416244819020749562126365"]},"signature_type":"Line","id":"ASB-A-432728472-7f6345ac"},{"signature_version":"v1","deprecated":false,"target":{"file":"net/tls/tls_sw.c"},"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a5","digest":{"threshold":0.9,"line_hashes":["259352220024315208510789459129187146363","70821024282919158246521290310114840820","257139970137432328844216514013311298012","273441906032623416244819020749562126365"]},"signature_type":"Line","id":"ASB-A-432728472-81d4f64a"},{"signature_version":"v1","deprecated":false,"target":{"function":"tls_rx_msg_size","file":"net/tls/tls_sw.c"},"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","digest":{"function_hash":"119521667270854040441809762487232819214","length":1205},"signature_type":"Function","id":"ASB-A-432728472-85bf8601"},{"signature_version":"v1","deprecated":false,"target":{"file":"net/tls/tls_sw.c","function":"tls_rx_msg_size"},"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a5","digest":{"function_hash":"119521667270854040441809762487232819214","length":1205},"signature_type":"Function","id":"ASB-A-432728472-9b749b32"},{"signature_version":"v1","deprecated":false,"target":{"function":"tls_strp_read_sock","file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a5","digest":{"function_hash":"153434889485638265871577548869593617670","length":694},"signature_type":"Function","id":"ASB-A-432728472-9d90cc5d"},{"signature_version":"v1","deprecated":false,"target":{"file":"net/tls/tls.h"},"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","digest":{"threshold":0.9,"line_hashes":["24740857850889261376534379889810764363","85998308388649098283392370513661937551","147429037395883480638966273712117273899","164201152866963214840408218986501627918"]},"signature_type":"Line","id":"ASB-A-432728472-a095dc4a"},{"signature_version":"v1","deprecated":false,"target":{"file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","digest":{"threshold":0.9,"line_hashes":["283473912220730539996808505321285588488","282379519402453234653640911446496461682","180019526495118017326739593146279295034","127703605037329090890997472871119392881","257757383132649446419959855998803868183","207123435426603509375397963049063922643","321988435554987910950377870876338988276","213917199970682281630473111601042701007","320480072546889979068846311463305586477","282837849059342887715680713098453968916","102636347842246774708837963250878814246","330445333256328674200284537248793228348","257164867764520225110026204737396977674","30433805054825544707946463506709329172","124645913546482956324079446531650032764","190398880868658174037474825069554292580","64671137334939586658247282280300550306","311922899447412556101406509780565561577","255993891640699880661468095459341916628"]},"id":"ASB-A-432728472-aa5115ca","signature_type":"Line"},{"signature_version":"v1","deprecated":false,"target":{"file":"net/tls/tls_sw.c"},"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","digest":{"threshold":0.9,"line_hashes":["259352220024315208510789459129187146363","70821024282919158246521290310114840820","257139970137432328844216514013311298012","273441906032623416244819020749562126365"]},"signature_type":"Line","id":"ASB-A-432728472-b0fd8bf1"},{"signature_version":"v1","deprecated":false,"target":{"function":"tls_strp_abort_strp","file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","digest":{"function_hash":"73899250446012620206950543049773955899","length":202},"signature_type":"Function","id":"ASB-A-432728472-b79f5c12"},{"signature_version":"v1","deprecated":false,"target":{"file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a5","digest":{"threshold":0.9,"line_hashes":["283473912220730539996808505321285588488","282379519402453234653640911446496461682","180019526495118017326739593146279295034","127703605037329090890997472871119392881","257757383132649446419959855998803868183","207123435426603509375397963049063922643","321988435554987910950377870876338988276","213917199970682281630473111601042701007","320480072546889979068846311463305586477","282837849059342887715680713098453968916","102636347842246774708837963250878814246","330445333256328674200284537248793228348","257164867764520225110026204737396977674","30433805054825544707946463506709329172","124645913546482956324079446531650032764","190398880868658174037474825069554292580","64671137334939586658247282280300550306","311922899447412556101406509780565561577","255993891640699880661468095459341916628"]},"signature_type":"Line","id":"ASB-A-432728472-c6beb2e7"},{"signature_version":"v1","deprecated":false,"target":{"file":"net/tls/tls_strp.c","function":"tls_strp_copyin_frag"},"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","digest":{"function_hash":"14736950894827631867549102320191922726","length":1305},"signature_type":"Function","id":"ASB-A-432728472-eb7d8bd9"},{"signature_version":"v1","deprecated":false,"target":{"file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","digest":{"threshold":0.9,"line_hashes":["283473912220730539996808505321285588488","282379519402453234653640911446496461682","180019526495118017326739593146279295034","127703605037329090890997472871119392881","257757383132649446419959855998803868183","207123435426603509375397963049063922643","321988435554987910950377870876338988276","213917199970682281630473111601042701007","320480072546889979068846311463305586477","282837849059342887715680713098453968916","102636347842246774708837963250878814246","330445333256328674200284537248793228348","257164867764520225110026204737396977674","30433805054825544707946463506709329172","124645913546482956324079446531650032764","190398880868658174037474825069554292580","64671137334939586658247282280300550306","311922899447412556101406509780565561577","255993891640699880661468095459341916628"]},"id":"ASB-A-432728472-f3d2de02","signature_type":"Line"}],"severity":"High","types":["EoP"],"fixes":["https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a5","https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc"],"spl":"2026-03-05"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-432728472.json"}}],"schema_version":"1.7.5"}