CVE-2021-0947

The method PVRSRVBridgeTLDiscoverStreams allocates puiStreamsInt on the heap, fills the contents of the buffer via TLServerDiscoverStreamsKM, and then copies the buffer to userspace. The method TLServerDiscoverStreamsKM may fail for several reasons including invalid sizes. If this method fails the buffer will be left uninitialized and despite the error will still be copied to userspace. Kernel leak of uninitialized heap data with no privs required.Product: AndroidVersions: Android SoCAndroid ID: A-236838960

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://source.android.com/security/bulletin/2022-08-01	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

History

08 Aug 2023, 14:21

Type	Values Removed	Values Added
CWE	~~CWE-119~~	CWE-909

29 Aug 2022, 00:59

Type	Values Removed	Values Added
CWE		CWE-119
First Time		Google android Google
CPE		cpe:2.3:o:google:android:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~(MISC) https://source.android.com/security/bulletin/2022-08-01 -~~	(MISC) https://source.android.com/security/bulletin/2022-08-01 - Vendor Advisory

24 Aug 2022, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-08-24 14:15

Updated : 2023-12-10 14:35

NVD link : CVE-2021-0947

Mitre link : CVE-2021-0947

CVE.ORG link : CVE-2021-0947

JSON object : View

Products Affected

google

android

CWE

CWE-909

Missing Initialization of Resource

{"id": "CVE-2021-0947", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-08-24T14:15:09.347", "references": [{"url": "https://source.android.com/security/bulletin/2022-08-01", "tags": ["Vendor Advisory"], "source": "security@android.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-909"}]}], "descriptions": [{"lang": "en", "value": "The method PVRSRVBridgeTLDiscoverStreams allocates puiStreamsInt on the heap, fills the contents of the buffer via TLServerDiscoverStreamsKM, and then copies the buffer to userspace. The method TLServerDiscoverStreamsKM may fail for several reasons including invalid sizes. If this method fails the buffer will be left uninitialized and despite the error will still be copied to userspace. Kernel leak of uninitialized heap data with no privs required.Product: AndroidVersions: Android SoCAndroid ID: A-236838960"}, {"lang": "es", "value": "El m\u00e9todo PVRSRVBridgeTLDiscoverStreams asigna puiStreamsInt en el heap, llena el contenido del buffer por medio de TLServerDiscoverStreamsKM, y luego copia el buffer al espacio de usuario. El m\u00e9todo TLServerDiscoverStreamsKM puede fallar por varias razones, incluyendo tama\u00f1os no v\u00e1lidos. Si este m\u00e9todo falla, el b\u00fafer se dejar\u00e1 sin inicializar y, a pesar del error, seguir\u00e1 copi\u00e1ndose en el espacio de usuario. Filtraci\u00f3n en el kernel de datos de la pila no inicializados sin ser requeridos privilegios. Producto: Android, Versiones: Android SoC, ID de Android: A-236838960"}], "lastModified": "2023-08-08T14:21:49.707", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}], "operator": "OR"}]}], "sourceIdentifier": "security@android.com"}