{"id":"ASB-A-446648770","details":"In multiple locations, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-432728472","A-446648770","ASB-A-432728472","CVE-2025-39946"],"modified":"2026-05-19T16:54:37.272608834Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a50"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2026-03-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","target":{"file":"net/tls/tls_strp.c","function":"tls_strp_read_sock"},"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"153434889485638265871577548869593617670","length":694},"id":"ASB-A-446648770-01516fff"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a50","target":{"file":"net/tls/tls.h"},"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["167319612760302190586015343449827245489","114835205123262800226261142064048450240","27954908737744688539567304471312715351","164201152866963214840408218986501627918"]},"id":"ASB-A-446648770-0a846487"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a50","target":{"file":"net/tls/tls_sw.c","function":"tls_rx_msg_size"},"digest":{"function_hash":"119521667270854040441809762487232819214","length":1205},"signature_version":"v1","signature_type":"Function","id":"ASB-A-446648770-17d41130"},{"digest":{"threshold":0.9,"line_hashes":["283473912220730539996808505321285588488","282379519402453234653640911446496461682","180019526495118017326739593146279295034","127703605037329090890997472871119392881","257757383132649446419959855998803868183","207123435426603509375397963049063922643","321988435554987910950377870876338988276","213917199970682281630473111601042701007","320480072546889979068846311463305586477","282837849059342887715680713098453968916","102636347842246774708837963250878814246","330445333256328674200284537248793228348","257164867764520225110026204737396977674","30433805054825544707946463506709329172","124645913546482956324079446531650032764","190398880868658174037474825069554292580","64671137334939586658247282280300550306","311922899447412556101406509780565561577","255993891640699880661468095459341916628"]},"deprecated":false,"target":{"file":"net/tls/tls_strp.c"},"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a50","signature_version":"v1","signature_type":"Line","id":"ASB-A-446648770-2af05d35"},{"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","digest":{"function_hash":"48348692865488476052042763323118805048","length":681},"target":{"file":"net/tls/tls_strp.c","function":"tls_strp_read_sock"},"deprecated":false,"signature_version":"v1","signature_type":"Function","id":"ASB-A-446648770-3d02bf22"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","target":{"file":"net/tls/tls_sw.c","function":"tls_rx_msg_size"},"id":"ASB-A-446648770-3f450019","signature_version":"v1","digest":{"function_hash":"80210314256187194721452425538351763738","length":1209},"signature_type":"Function"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","target":{"file":"net/tls/tls_strp.c","function":"tls_strp_abort_strp"},"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"73899250446012620206950543049773955899","length":202},"id":"ASB-A-446648770-548e5f56"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a50","target":{"file":"net/tls/tls_sw.c"},"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["259352220024315208510789459129187146363","70821024282919158246521290310114840820","257139970137432328844216514013311298012","273441906032623416244819020749562126365"]},"id":"ASB-A-446648770-573c7791"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","target":{"file":"net/tls/tls.h"},"id":"ASB-A-446648770-6e7ee497","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["167319612760302190586015343449827245489","249219786354491397621364679998475272102","150993359548527104535124589494448364847","134789658902575227106705782654316408187"]},"signature_type":"Line"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","target":{"file":"net/tls/tls_strp.c","function":"tls_strp_copyin_frag"},"digest":{"function_hash":"14736950894827631867549102320191922726","length":1305},"signature_version":"v1","signature_type":"Function","id":"ASB-A-446648770-76722a05"},{"digest":{"threshold":0.9,"line_hashes":["259352220024315208510789459129187146363","70821024282919158246521290310114840820","257139970137432328844216514013311298012","273441906032623416244819020749562126365"]},"deprecated":false,"target":{"file":"net/tls/tls_sw.c"},"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","signature_version":"v1","signature_type":"Line","id":"ASB-A-446648770-7f6345ac"},{"digest":{"function_hash":"119521667270854040441809762487232819214","length":1205},"deprecated":false,"target":{"file":"net/tls/tls_sw.c","function":"tls_rx_msg_size"},"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","signature_version":"v1","signature_type":"Function","id":"ASB-A-446648770-85bf8601"},{"digest":{"line_hashes":["24740857850889261376534379889810764363","85998308388649098283392370513661937551","147429037395883480638966273712117273899","164201152866963214840408218986501627918"],"threshold":0.9},"deprecated":false,"target":{"file":"net/tls/tls.h"},"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","signature_version":"v1","signature_type":"Line","id":"ASB-A-446648770-a095dc4a"},{"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","digest":{"threshold":0.9,"line_hashes":["283473912220730539996808505321285588488","282379519402453234653640911446496461682","180019526495118017326739593146279295034","127703605037329090890997472871119392881","257757383132649446419959855998803868183","207123435426603509375397963049063922643","321988435554987910950377870876338988276","213917199970682281630473111601042701007","320480072546889979068846311463305586477","282837849059342887715680713098453968916","102636347842246774708837963250878814246","330445333256328674200284537248793228348","257164867764520225110026204737396977674","30433805054825544707946463506709329172","124645913546482956324079446531650032764","190398880868658174037474825069554292580","64671137334939586658247282280300550306","311922899447412556101406509780565561577","255993891640699880661468095459341916628"]},"target":{"file":"net/tls/tls_strp.c"},"deprecated":false,"signature_version":"v1","signature_type":"Line","id":"ASB-A-446648770-aa5115ca"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc","target":{"file":"net/tls/tls_sw.c"},"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["259352220024315208510789459129187146363","70821024282919158246521290310114840820","257139970137432328844216514013311298012","273441906032623416244819020749562126365"],"threshold":0.9},"id":"ASB-A-446648770-b0fd8bf1"},{"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","digest":{"function_hash":"73899250446012620206950543049773955899","length":202},"target":{"file":"net/tls/tls_strp.c","function":"tls_strp_abort_strp"},"deprecated":false,"signature_version":"v1","signature_type":"Function","id":"ASB-A-446648770-b79f5c12"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a50","target":{"file":"net/tls/tls_strp.c","function":"tls_strp_read_sock"},"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"153434889485638265871577548869593617670","length":694},"id":"ASB-A-446648770-d72d2e9c"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a50","target":{"file":"net/tls/tls_strp.c","function":"tls_strp_abort_strp"},"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"73899250446012620206950543049773955899","length":202},"id":"ASB-A-446648770-dc567dbb"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","target":{"file":"net/tls/tls_strp.c","function":"tls_strp_copyin_frag"},"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"14736950894827631867549102320191922726","length":1305},"id":"ASB-A-446648770-eb7d8bd9"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","target":{"file":"net/tls/tls_strp.c"},"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["283473912220730539996808505321285588488","282379519402453234653640911446496461682","180019526495118017326739593146279295034","127703605037329090890997472871119392881","257757383132649446419959855998803868183","207123435426603509375397963049063922643","321988435554987910950377870876338988276","213917199970682281630473111601042701007","320480072546889979068846311463305586477","282837849059342887715680713098453968916","102636347842246774708837963250878814246","330445333256328674200284537248793228348","257164867764520225110026204737396977674","30433805054825544707946463506709329172","124645913546482956324079446531650032764","190398880868658174037474825069554292580","64671137334939586658247282280300550306","311922899447412556101406509780565561577","255993891640699880661468095459341916628"],"threshold":0.9},"id":"ASB-A-446648770-f3d2de02"},{"deprecated":false,"source":"https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a50","target":{"file":"net/tls/tls_strp.c","function":"tls_strp_copyin_frag"},"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"14736950894827631867549102320191922726","length":1305},"id":"ASB-A-446648770-fab68c67"}],"spl":"2026-03-05","fixes":["https://android.googlesource.com/kernel/common/+/1257aa4519ee5d49e465b0dcc85cc7e4a24619d5","https://android.googlesource.com/kernel/common/+/c4bcbf924ba0823fcdc960c02e0409dbcd345a50","https://android.googlesource.com/kernel/common/+/8f4e429a1e36e588f434772dceca9068dc1208cc"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-446648770.json"}}],"schema_version":"1.7.5"}