{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-46935","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-25T13:45:52.720Z","datePublished":"2024-02-27T09:44:02.071Z","dateUpdated":"2025-05-04T07:00:39.427Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:00:39.427Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix async_free_space accounting for empty parcels\n\nIn 4.13, commit 74310e06be4d (\"android: binder: Move buffer out of area shared with user space\")\nfixed a kernel structure visibility issue. As part of that patch,\nsizeof(void *) was used as the buffer size for 0-length data payloads so\nthe driver could detect abusive clients sending 0-length asynchronous\ntransactions to a server by enforcing limits on async_free_size.\n\nUnfortunately, on the \"free\" side, the accounting of async_free_space\ndid not add the sizeof(void *) back. The result was that up to 8-bytes of\nasync_free_space were leaked on every async transaction of 8-bytes or\nless.  These small transactions are uncommon, so this accounting issue\nhas gone undetected for several years.\n\nThe fix is to use \"buffer_size\" (the allocated buffer size) instead of\n\"size\" (the logical buffer size) when updating the async_free_space\nduring the free operation. These are the same except for this\ncorner case of asynchronous transactions with payloads < 8 bytes."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder_alloc.c"],"versions":[{"version":"74310e06be4d74dcf67cd108366710dee5c576d5","lessThan":"2d2df539d05205fd83c404d5f2dff48d36f9b495","status":"affected","versionType":"git"},{"version":"74310e06be4d74dcf67cd108366710dee5c576d5","lessThan":"7c7064402609aeb6fb11be1b4ec10673ff17b593","status":"affected","versionType":"git"},{"version":"74310e06be4d74dcf67cd108366710dee5c576d5","lessThan":"103b16a8c51f96d5fe063022869ea906c256e5da","status":"affected","versionType":"git"},{"version":"74310e06be4d74dcf67cd108366710dee5c576d5","lessThan":"1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4","status":"affected","versionType":"git"},{"version":"74310e06be4d74dcf67cd108366710dee5c576d5","lessThan":"17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff","status":"affected","versionType":"git"},{"version":"74310e06be4d74dcf67cd108366710dee5c576d5","lessThan":"cfd0d84ba28c18b531648c9d4a35ecca89ad9901","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder_alloc.c"],"versions":[{"version":"4.14","status":"affected"},{"version":"0","lessThan":"4.14","status":"unaffected","versionType":"semver"},{"version":"4.14.261","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.224","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.170","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.90","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.13","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"4.14.261"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"4.19.224"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.4.170"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.10.90"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.15.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2d2df539d05205fd83c404d5f2dff48d36f9b495"},{"url":"https://git.kernel.org/stable/c/7c7064402609aeb6fb11be1b4ec10673ff17b593"},{"url":"https://git.kernel.org/stable/c/103b16a8c51f96d5fe063022869ea906c256e5da"},{"url":"https://git.kernel.org/stable/c/1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4"},{"url":"https://git.kernel.org/stable/c/17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff"},{"url":"https://git.kernel.org/stable/c/cfd0d84ba28c18b531648c9d4a35ecca89ad9901"}],"title":"binder: fix async_free_space accounting for empty parcels","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-46935","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-02-27T20:52:57.585284Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-05T17:22:03.611Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:17:43.010Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/2d2df539d05205fd83c404d5f2dff48d36f9b495","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/7c7064402609aeb6fb11be1b4ec10673ff17b593","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/103b16a8c51f96d5fe063022869ea906c256e5da","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/cfd0d84ba28c18b531648c9d4a35ecca89ad9901","tags":["x_transferred"]}]}]}}