{"id":"PUB-A-237291506","details":"In SurfaceFlinger::doDump of SurfaceFlinger.cpp, there is possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-237291506","CVE-2022-20540"],"modified":"2026-05-01T15:24:27.653932Z","published":"2022-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/native/+/3b3e59185dc1e9a319d8ce20ac19c30a966a5a9c"}],"affected":[{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-12-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2022-12-01","vanir_signatures":[{"id":"PUB-A-237291506-5a7fa69b","source":"https://android.googlesource.com/platform/frameworks/native/+/3b3e59185dc1e9a319d8ce20ac19c30a966a5a9c","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["202552566103172794334449075147116261977","17828242352471470747654031650459973474","178920184540350817198664693925416737068","22861166017075532457214272563558181225","106092344314481662412359495682883828618","10002953465525676573429818277245464833","199752922789999390898171994449354968765","40486688523457856319539344616562793109","156261275014300865892894173602100980344","261994475144878985181199186560335943212","116664300387759021222945622545125784354","145370459592591971971703608573357510240","123934905376987760421715678347351933206","118792984744032921721784902033423144310","337746606604105444770841156528986888679","8370428410160955034372225559325938572","155811780327961771535423292880495748352","73750773721777150041906658941322049354","166844114380611729495132428277631231212","294682923990878206365699557575840182427","85153290377142314535769775064027372193","126785933011848558680650342112282968603","234319306269885407629505207240028504053","52381328539908633917726348164360209338","149842562003426643530537863145769810764"]},"signature_type":"Line","deprecated":false,"target":{"file":"services/surfaceflinger/SurfaceFlinger.cpp"}},{"id":"PUB-A-237291506-6b0ff607","source":"https://android.googlesource.com/platform/frameworks/native/+/3b3e59185dc1e9a319d8ce20ac19c30a966a5a9c","signature_version":"v1","digest":{"function_hash":"84383745075848416457401126393956279062","length":2609},"signature_type":"Function","deprecated":false,"target":{"function":"SurfaceFlinger::doDump","file":"services/surfaceflinger/SurfaceFlinger.cpp"}},{"id":"PUB-A-237291506-a39e64e4","source":"https://android.googlesource.com/platform/frameworks/native/+/3b3e59185dc1e9a319d8ce20ac19c30a966a5a9c","signature_type":"Line","signature_version":"v1","match_only_versions":["13"],"digest":{"threshold":0.9,"line_hashes":["61295553883382107246551767482679757213","234407580720518423129798393674012316815","74396831356225118241411121716367814081","334816721397443605868571587195675287237"]},"deprecated":false,"target":{"file":"services/surfaceflinger/SurfaceFlinger.h"}},{"id":"PUB-A-237291506-f117618b","source":"https://android.googlesource.com/platform/frameworks/native/+/3b3e59185dc1e9a319d8ce20ac19c30a966a5a9c","signature_version":"v1","digest":{"function_hash":"319702184430085328226299782705555270871","length":4629},"signature_type":"Function","deprecated":false,"target":{"function":"SurfaceFlinger::dumpAllLocked","file":"services/surfaceflinger/SurfaceFlinger.cpp"}}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/native/+/3b3e59185dc1e9a319d8ce20ac19c30a966a5a9c"],"severity":"Moderate"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/PUB-A-237291506.json"}}],"schema_version":"1.7.5"}