{"id":"PUB-A-193033243","details":"In setTransactionState of SurfaceFlinger, there is possible arbitrary code execution in a privileged process due to improper casting. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-193033243","CVE-2021-1027"],"modified":"2026-05-01T15:24:27.653932Z","published":"2021-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2021-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"}],"affected":[{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2021-12-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Function","digest":{"length":308,"function_hash":"148854455244816904141629808056262942731"},"target":{"function":"extractLayerFromBinder","file":"services/surfaceflinger/Layer.cpp"},"id":"PUB-A-193033243-070cdc73","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Function","digest":{"length":764,"function_hash":"130293978526721095055343248248164931332"},"target":{"function":"Layer::setRelativeLayer","file":"services/surfaceflinger/Layer.cpp"},"id":"PUB-A-193033243-432988f3","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Line","digest":{"line_hashes":["239402453879805974820221514929899196888","2249085044513177693025040255682456257","226345157174825149979105440303441858407","13268908067441088285336305028466132062","112091935413235430624711822683675802486","225029701668452592244386154018306295060","277572189605657307185401248928118138060","219669145659572649728034698982296154536","94441765663594011270865342380946982847","74323979708334143926068579442598755407","193788821048580266110294070658778600659","296647607454635625776428477407160123115","223936090731318599001442584936302837053"],"threshold":0.9},"target":{"file":"services/surfaceflinger/SurfaceFlinger.h"},"id":"PUB-A-193033243-559d2e16","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Line","digest":{"line_hashes":["225306940971149859754997434060906864893","6962442468913351774715844956380190534","179625925245624769655467472890004098774","178712557885458808051994052757116474245","57500976776301698093940671872786763994","323481002034659072296792651226652396847","35566303659113572604595042255255460944","51864298357820387873168289895513169588","154607271257312167751874117487651956353","118326247183166808416632643915302236165","50214010415513002184250466891761797279","20727968245318005281300716163778375075","157662469722496657335228128105167160105","28303165143886896161884694133395623838","303087693426676530330470730658327809406","37538903106455159847944172283949152041","317915974150158399236841457190156942990"],"threshold":0.9},"target":{"file":"services/surfaceflinger/SurfaceInterceptor.cpp"},"id":"PUB-A-193033243-59b9da9e","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Function","digest":{"length":285,"function_hash":"190280804825596418843573860348017150566"},"target":{"function":"Layer::setInputInfo","file":"services/surfaceflinger/Layer.cpp"},"id":"PUB-A-193033243-608695c2","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Function","digest":{"length":117,"function_hash":"210869673462791584966852221607700206295"},"target":{"function":"SurfaceFlinger::fromHandle","file":"services/surfaceflinger/SurfaceFlinger.cpp"},"id":"PUB-A-193033243-675646a8","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Function","digest":{"length":528,"function_hash":"272397869756864511585901407042354871271"},"target":{"function":"SurfaceFlinger::onHandleDestroyed","file":"services/surfaceflinger/SurfaceFlinger.cpp"},"id":"PUB-A-193033243-6c2bcd89","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Line","digest":{"line_hashes":["136006072136364286030451714101063289554","37885445453371406218133702823075601596","144902293842621749154798219155681528334","17167489456463945787529279788598170976","38438209846733648038135248009325580343","292004329668566787361512609336689332819","167634453265103235302795215640246023976","155472291971490582181828798537918678623","149820680580176694431406729916008354716","145940822595336290167236489780161960674","202724038824256789684451275572112850503","241467872763009047595648324782019049264","10091708412893233576477886080475815643","2766523982644813870630938944756034312","273061877606499572861151057485873373735","270708242246297760663083940232702998476","71393996832272237438156330610627666541","109112431274242209742538158946042517863","74275643563225076357676325107272933795","69152958776646416940753459701778578530","129683263321805956961470041965054686621","46524083787953808101646894193511390849","39896797484673782284311879636348978379","164452682644643208993642331956545705873","146546620116686766324279736950402761232","102751599998869278005733960896790012595","130599711656616654904211232685050482909","100496892379360003895295596115922141851","43214606916536267417661410022357656573","329352217235652700427298558406364434686","83919560248309412451529874261934986451","73648893346148962600065841783807431679","89778085805477558843696716084211082459","140979369812248538635045666159972441110","37813659987758821446922066962026899856","85043170291534718682850576254465764728","909835335659200388773556295053511519","187394542648027054581644542904147451484","237797113250768572897659021958567736260","224845452778262664658006672673773083002","277538684427090502016513850203927738191","101174805359562870285053871465465366111","296434369643084843306585402847894692334","335282290052372085275078867439059538904","255657060539628187845840042326061412235","169518170621707652381701704337183352223","149197169950953529472195273405535736149","178905101917885354047822277651638030170","170252744051276544756709934721862888796","42207463470114370069681183239957908455","213179858847220692546114735595066497979","103114633972873767947200851920497983405","214729183865059137688147169533018483573","160997270959241678084898697629908322870","73941123739552011957078085332501843006","235604830328682315607232431977386138049","12585500931071506999697251752454483799","194342658522476755407175476620666292064","87829346955865209621376591611111344704","7297744059548570342777310951062656277","63770852577913088377791142719328341571","310969560748103874126455025029343021514","332156213924422119224217121229822195439","126976632900394201730671429233344242604","135452257777181003704069165521506552603","333857430071666233630483665479349949876","17922504818346392580126872495161541075","106921782673202069771762251030344068290","298841092162327648665127528615817493617"],"threshold":0.9},"target":{"file":"services/surfaceflinger/SurfaceFlinger.cpp"},"id":"PUB-A-193033243-6efdfeec","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Function","digest":{"length":252,"function_hash":"238514461389302230355808178521023634988"},"target":{"function":"SurfaceInterceptor::getLayer","file":"services/surfaceflinger/SurfaceInterceptor.cpp"},"id":"PUB-A-193033243-7bf37204","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Line","digest":{"line_hashes":["19324125944673929876317574983437657487","16900380928425654835962543966915816434","28860736293614418934226195182894854962","43405743797557795834132066604651494940","53110454057224839023518192984000517384","61147810411074516790205295877503383223","339666493182311818867657985482013197817","289988273976525370635197998815477395780","147447930624726277773736410382501647353","83515080549718919754867058606010317420","55986800092397743693966673432436847646","65174026325499613114215567956773254583","88887067396733216877118661843837852851","115381819434878148430744623758650560898","143816748848899746169392340051465753832","266184913105125242606668138514865619305","45313648379568129541186714961092023827","145713029121759960842183002785636454809","147068460252592959441033563908951256538","174118747610928324696979176061129654548","279260658765857506830230325178678207629","179485207995446800727656766953970256323","167784268963113179362930219122312644496","281817805564705012356313136627439469187","130647464686857805216855722063703665654","75323933321313771532081015838036645651","250131377566475651383186976983704887448","215853296336233910372431323307679109967","6619378808088534728825262515365547326","175929151346973007231099330303207577603","42423112775543014511243081025675071865","164649599368892808287888606545152284670","56703230976113798066592004472291570709","326378269591042118602134048380147485699","100471330673333361245188010564633314378","91330178860709430704607251398660511149"],"threshold":0.9},"target":{"file":"services/surfaceflinger/Layer.cpp"},"id":"PUB-A-193033243-803aaf79","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Function","digest":{"length":669,"function_hash":"72180255198095941201819186016615005055"},"target":{"function":"Layer::reparent","file":"services/surfaceflinger/Layer.cpp"},"id":"PUB-A-193033243-858e4fa2","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Function","digest":{"length":340,"function_hash":"295735437818471318240263290444204326115"},"target":{"function":"SurfaceFlinger::fromHandleLocked","file":"services/surfaceflinger/SurfaceFlinger.cpp"},"id":"PUB-A-193033243-86d47d6e","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Line","digest":{"line_hashes":["180459281533515573444194746118978517362","77486947446523004351637212510357807146","320112465890559239182126150770937284651","116848848557501671777503124013747448582","1984503516145367709606882907228341434","253549876504776358878858375170243429720","274925040840188667756074887590989013169","38165628023785295340404217939430881346","203767377063084735029005355072152820751","303057317047828389610248161797019837562","270166416322623123507685998952583874592","105246265134523999548902035894778709514","67345504727149345076752764380236214194","280555717421973170297833378305528097463","210516112650426618323597342028005221208","158632482583122815120188403597333694316","309271713042654231707740391729741500941"],"threshold":0.9},"target":{"file":"services/surfaceflinger/Layer.h"},"id":"PUB-A-193033243-a802cff6","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Line","digest":{"line_hashes":["249359015536695073772524735223714475384","280468340427400704853703422136017137376","186349254690430549925272512297185371446","126290562815896788549251162284509452811","194809315623446784663537516323511447070","162678448710453754531187414328125944771","57711654589088292708476087727744893163"],"threshold":0.9},"target":{"file":"services/surfaceflinger/SurfaceInterceptor.h"},"id":"PUB-A-193033243-a8220ea0","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Function","digest":{"length":293,"function_hash":"277747683752730879581956337285799393658"},"target":{"function":"SurfaceInterceptor::getLayerIdFromHandle","file":"services/surfaceflinger/SurfaceInterceptor.cpp"},"id":"PUB-A-193033243-b480d3c2","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"},{"signature_type":"Function","digest":{"length":10777,"function_hash":"44791309334450844456675503081552095819"},"target":{"function":"SurfaceFlinger::setClientStateLocked","file":"services/surfaceflinger/SurfaceFlinger.cpp"},"id":"PUB-A-193033243-bf68bfd4","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"}],"types":["EoP"],"spl":"2021-12-01","fixes":["https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908"],"severity":"Moderate"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/PUB-A-193033243.json"}}],"schema_version":"1.7.5"}