{"id":"PUB-A-190011721","details":"In retrieve_ptr_limit and related functions of verifier.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-190011721","CVE-2021-33200"],"modified":"2026-04-13T15:04:09.269232Z","published":"2021-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2021-12-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/4e2c7b297431"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/c87ef240a8bb"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/27acfd11ba17"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2021-12-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"source":"https://android.googlesource.com/kernel/common/+/4e2c7b297431","digest":{"length":4765,"function_hash":"280925786661479790060625219488333451145"},"deprecated":false,"target":{"file":"kernel/bpf/verifier.c","function":"adjust_ptr_min_max_vals"},"signature_version":"v1","signature_type":"Function","id":"PUB-A-190011721-06da4639"},{"source":"https://android.googlesource.com/kernel/common/+/4e2c7b297431","digest":{"threshold":0.9,"line_hashes":["262039529909060196131840256906024236091","270188737281727892283613521542930633652","202666486935702327703733695467908503678","206109830977063295313481655814501734546","292486978687385929434937330953248332427","328639218135929486931504967438055463412","62868870917074497638268689937442447168","320310744290047615038558848755583454387","261457560931777040427055367791851611644","68582937390981047386786096394346336561","262129148996771020818048131033824065966","112351779731652824777136638711725917188","190261737873874972819381169079371674881","303706700695040886962027604386566828839","10389472930954564919343417650301357378","3865584324248217866683036343101457061","58441117975608874748647369726117887541","79415134364014076933211547464204217671","317311942449228392442899622207029611134","135760675079791313916564915763451899558","32902188230975282252255827147040916814","204870489292401244044936037152747646290","25504007323729439322956106711636630733","172381262836319009699659302504928370105","136782001053866556956108588732434675271","10245136483796299734482042581954248075","322126300342519691672201230491836247048","108686124283852224623903031889849749709","202818059168461138909902828253571242458"]},"deprecated":false,"target":{"file":"kernel/bpf/verifier.c"},"signature_version":"v1","signature_type":"Line","id":"PUB-A-190011721-0f162e85"},{"source":"https://android.googlesource.com/kernel/common/+/c87ef240a8bb","digest":{"length":1148,"function_hash":"246957723678091566589130391708730684184"},"deprecated":false,"target":{"file":"kernel/bpf/verifier.c","function":"sanitize_ptr_alu"},"signature_version":"v1","signature_type":"Function","id":"PUB-A-190011721-23b47069"},{"source":"https://android.googlesource.com/kernel/common/+/c87ef240a8bb","digest":{"length":747,"function_hash":"6241484433920322589546792130090738769"},"deprecated":false,"target":{"file":"kernel/bpf/verifier.c","function":"retrieve_ptr_limit"},"signature_version":"v1","signature_type":"Function","id":"PUB-A-190011721-81499f5a"},{"source":"https://android.googlesource.com/kernel/common/+/27acfd11ba17","digest":{"threshold":0.9,"line_hashes":["47427510771680019310194127933122136096","319713665651579424303318085355357056722","240756402307389634250126952816184534541","207370627333112601712375871791117294648"]},"deprecated":false,"target":{"file":"kernel/bpf/verifier.c"},"signature_version":"v1","signature_type":"Line","id":"PUB-A-190011721-951b2ab4"},{"source":"https://android.googlesource.com/kernel/common/+/4e2c7b297431","digest":{"length":1127,"function_hash":"187212921763892443154419825529662340918"},"deprecated":false,"target":{"file":"kernel/bpf/verifier.c","function":"sanitize_ptr_alu"},"signature_version":"v1","signature_type":"Function","id":"PUB-A-190011721-97ef0e8e"},{"source":"https://android.googlesource.com/kernel/common/+/27acfd11ba17","digest":{"length":1384,"function_hash":"190812588988046212309368991988796455796"},"deprecated":false,"target":{"file":"kernel/bpf/verifier.c","function":"sanitize_ptr_alu"},"signature_version":"v1","signature_type":"Function","id":"PUB-A-190011721-a841515f"},{"source":"https://android.googlesource.com/kernel/common/+/c87ef240a8bb","digest":{"threshold":0.9,"line_hashes":["3973112015353895427797486632497507088","109492799880415627359173180119756358953","151263697241877261312355100598146786640","227558448847777301654952269804132204619","48422950799149764877750188752617729560","322566115669594912920201594012322327461","39918092637745787937094710157800133725","27974248861366183145253296694337357657","278672871784064751746473846623304960395","10984009763167534490828174999891896918","36147004044395911372441237840665215257","273077193668393981112346615424261606026","89522239158795419087619746193143309496","57296124109740312822760439108636120772","39464320438896685214166384935106519725","271371438596389649210494411959216830846","160026756588115414011880114991878292752","4154023463872514507109786054285824972","84049923922650422497478016294474054196","225208778956210412871068268981562215833","288492177735258700518958040474273244828"]},"deprecated":false,"target":{"file":"kernel/bpf/verifier.c"},"signature_version":"v1","signature_type":"Line","id":"PUB-A-190011721-ae02bd93"}],"severity":"Moderate","fixes":["https://android.googlesource.com/kernel/common/+/4e2c7b297431","https://android.googlesource.com/kernel/common/+/c87ef240a8bb","https://android.googlesource.com/kernel/common/+/27acfd11ba17"],"spl":"2021-12-05"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/PUB-A-190011721.json"}}],"schema_version":"1.7.5"}