{"id":"ASB-A-432753641","details":"In unix_stream_recv_urg of af_unix.c, there is a possible way to achieve code execution due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-432753641","CVE-2025-38236"],"modified":"2026-05-27T15:53:17.428190120Z","published":"2025-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-12-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/a12237865b48a73183df252029ff5065d73d305e"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/fad0a2c16062ac7c606b93166a7ce9d265bab976"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2025-12-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"severity":"High","types":["EoP"],"fixes":["https://android.googlesource.com/kernel/common/+/a12237865b48a73183df252029ff5065d73d305e","https://android.googlesource.com/kernel/common/+/fad0a2c16062ac7c606b93166a7ce9d265bab976"],"vanir_signatures":[{"signature_version":"v1","id":"ASB-A-432753641-0997eb90","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["183252015495784150815074425108747348646","236728392786984015217553286462212773033","254384752385631068815300715904164301250","11553748700143810502292442417527623876","321011682658881487664849514755219224884","295480873339494963930518411331494115004","225139531471823096184134662633073653583","288484838968544984887739437775807415209","228492040799423198324251515580849429063","41755156721136384482599075909833842327","73603010689634229389347733204668975462","290493494940134735643491267196507640898","216390754541469798883098752354660630225","72824928035174032854310807870359093985","219360950567803672166296949696650665395","329445656469819655501715074336629864351","172953970843298043501755264330416669825"]},"deprecated":false,"target":{"file":"net/unix/af_unix.c"},"source":"https://android.googlesource.com/kernel/common/+/a12237865b48a73183df252029ff5065d73d305e"},{"signature_version":"v1","id":"ASB-A-432753641-7530af4d","target":{"function":"unix_stream_recv_urg","file":"net/unix/af_unix.c"},"signature_type":"Function","digest":{"length":840,"function_hash":"97891357983722468090034070534007393679"},"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/fad0a2c16062ac7c606b93166a7ce9d265bab976"},{"signature_version":"v1","deprecated":false,"digest":{"length":840,"function_hash":"97891357983722468090034070534007393679"},"target":{"function":"unix_stream_recv_urg","file":"net/unix/af_unix.c"},"signature_type":"Function","id":"ASB-A-432753641-edfb2af5","source":"https://android.googlesource.com/kernel/common/+/a12237865b48a73183df252029ff5065d73d305e"},{"signature_version":"v1","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["183252015495784150815074425108747348646","236728392786984015217553286462212773033","254384752385631068815300715904164301250","11553748700143810502292442417527623876","321011682658881487664849514755219224884","295480873339494963930518411331494115004","225139531471823096184134662633073653583","288484838968544984887739437775807415209","228492040799423198324251515580849429063","41755156721136384482599075909833842327","73603010689634229389347733204668975462","290493494940134735643491267196507640898","216390754541469798883098752354660630225","72824928035174032854310807870359093985","219360950567803672166296949696650665395","329445656469819655501715074336629864351","172953970843298043501755264330416669825"]},"target":{"file":"net/unix/af_unix.c"},"source":"https://android.googlesource.com/kernel/common/+/fad0a2c16062ac7c606b93166a7ce9d265bab976","id":"ASB-A-432753641-ef4fa016"}],"spl":"2025-12-05"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-432753641.json"}}],"schema_version":"1.7.5"}