{"id":"PUB-A-174846563","details":"In lock_sock_nested of sock.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-174846563","CVE-2022-20154"],"modified":"2026-04-15T15:55:00.724021Z","published":"2022-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-06-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/769d14abd35e0"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2022-06-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"spl":"2022-06-05","vanir_signatures":[{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["23347061211291941481806857906102284911","177002230662709273784008017188721606951","48376934442674723451773150477588234907","182299074923096271849129184776724678993","338676634134201886380325063000256267269","291290793429430997008888280029755099487","144172288641749097597953834940837677490","336369842191703597786746992019606580619","71065391040256152326279089265785663849","323652614636588655306470968658792666077","85746989684007224125230686831696881199","59410769388531461730540176810929051063","217131076971137137259778968319834908859","158810023086232955152764885098882485330","338676634134201886380325063000256267269","135099952024222933799081601528028364426","97021692627629513048798716597852309642","86193371296286845210734849710227024821","297085228972537975585287790301781137066","266439521223484594231214930226963099212","271182323383272205431929266079022407078"],"threshold":0.9},"id":"PUB-A-174846563-106ccc13","source":"https://android.googlesource.com/kernel/common/+/769d14abd35e0","deprecated":false,"target":{"file":"net/sctp/diag.c"}},{"signature_version":"v1","signature_type":"Function","digest":{"length":76,"function_hash":"289627938984407819320593096123563229491"},"id":"PUB-A-174846563-143af40f","source":"https://android.googlesource.com/kernel/common/+/769d14abd35e0","deprecated":false,"target":{"file":"net/sctp/endpointola.c","function":"sctp_endpoint_hold"}},{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["309383236726669950585157689903458752515","88260067284349508674870075420060564826","155292910023572277903270872531702950838","134290720386689805509421112861744409388","137027131051176327367587178198067611650","105526423192713990914016495304444566670","6131714833563070702088356873832316837","270597856673008406909092052482272803316"],"threshold":0.9},"id":"PUB-A-174846563-1541fde2","source":"https://android.googlesource.com/kernel/common/+/769d14abd35e0","deprecated":false,"target":{"file":"include/net/sctp/structs.h"}},{"signature_version":"v1","signature_type":"Function","digest":{"length":607,"function_hash":"163259973829971906389599524297629906217"},"id":"PUB-A-174846563-1630c632","source":"https://android.googlesource.com/kernel/common/+/769d14abd35e0","deprecated":false,"target":{"file":"net/sctp/socket.c","function":"sctp_for_each_transport"}},{"signature_version":"v1","signature_type":"Function","digest":{"length":1260,"function_hash":"126825142230646115460025181308384348397"},"id":"PUB-A-174846563-22e1eacf","source":"https://android.googlesource.com/kernel/common/+/769d14abd35e0","deprecated":false,"target":{"file":"net/sctp/diag.c","function":"sctp_sock_dump"}},{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["21029744086309906970192052545801022644","106626585854412762394079991574934827856","50472161052762845031951012452900617485","161416688380122876796813718749523477740","201400781867629564491302620713910763644","135879850248734875220118336854112733897","237041325697964225834429682552458975556","41173980032348538667588302154121489846","113562329963194921225501512825865264236"],"threshold":0.9},"id":"PUB-A-174846563-7f204eef","source":"https://android.googlesource.com/kernel/common/+/769d14abd35e0","deprecated":false,"target":{"file":"include/net/sctp/sctp.h"}},{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["77193003971849626018765633387649046973","82115348930108064197334200024154074498","269294668493860627699164151471595859596","43650239782021040008766962902246222476","163270045153988776586878691775726133960","315911071379310057430653051766749740245","186201964194282393744418514394443606371","296980782533405293265090397253198875652","270293343885687206722616696434647117664","121785418128703810881838935323955722146","52695996913667367082078284090442762055","36214710859350875217012576783547298531","165385393037156771776296065381759236306","340103536046995691884541934066684729201","267199293733246693683458233170125595373","46958561471194245189831729508447736562","44096646829538136613692942564487221239","69887669591234300476500013493416067482","287433118589882673733146831615774929913","207011356434488265614941819158240886511","25771891663138874142886022233768142948","101958866392095468117239515781232537850","2021272789740270285622707479131571873","112722235892719158983243476694290259423","9146097746976765165105370416997648494","322296279780217818017213369637734780454","233689922645175987651037017009216159089","115220128488945262303025556472777370136","91704628221969302552468011035767942819"],"threshold":0.9},"id":"PUB-A-174846563-8b402d12","source":"https://android.googlesource.com/kernel/common/+/769d14abd35e0","deprecated":false,"target":{"file":"net/sctp/socket.c"}},{"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["136705704668287840838098663425903034513","209011007118665923910912207593411207834","195304914403678243150676024956944031826","234261603079972679903775017704876541856","160982432776247276356533607157783564410","231748902300842946121468390622158524838","105702593457023692281795196419238299983","166824963132324437765813543408167983364","251960731091318363314892629619975711501","208190353853242567467607915468660235125","102563894740154053488831973439967749797","219675865577385818886984314696480683657","27342335990728957538735726433258772481","328276165476366546641643445894555965025"],"threshold":0.9},"id":"PUB-A-174846563-a0e935f9","source":"https://android.googlesource.com/kernel/common/+/769d14abd35e0","deprecated":false,"target":{"file":"net/sctp/endpointola.c"}},{"signature_version":"v1","signature_type":"Function","digest":{"length":618,"function_hash":"95825773360939100849072090054173255776"},"id":"PUB-A-174846563-c6208bdd","source":"https://android.googlesource.com/kernel/common/+/769d14abd35e0","deprecated":false,"target":{"file":"net/sctp/endpointola.c","function":"sctp_endpoint_destroy"}},{"signature_version":"v1","signature_type":"Function","digest":{"length":436,"function_hash":"219892017511828597570517694760514253467"},"id":"PUB-A-174846563-cf1e5d11","source":"https://android.googlesource.com/kernel/common/+/769d14abd35e0","deprecated":false,"target":{"file":"net/sctp/diag.c","function":"sctp_sock_filter"}}],"severity":"Moderate","fixes":["https://android.googlesource.com/kernel/common/+/769d14abd35e0"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/PUB-A-174846563.json"}}],"schema_version":"1.7.5"}