Android Input Dispatcher Component Use-After-Free Vulnerability Allowing Local Privilege Escalation

A use-after-free vulnerability has been identified in the InputDispatcher component of the Android framework. This issue arises in the 'afterKeyEventLockedInterruptable' function, where a reference to an EventEntry object can be lost after the InputDispatcher releases its lock, potentially leading to a crash. Exploitation of this vulnerability could allow for local privilege escalation, with no additional execution privileges required. User interaction is not necessary for exploitation.

Impact

Exploitation of this vulnerability could lead to a crash of the InputDispatcher, causing a denial-of-service condition on the device.

Reproduction

The vulnerability can be reproduced by sending a key event to an application that is currently in focus. The InputDispatcher will process the key event and notify the application's policy about any unhandled events. However, before the InputDispatcher completes this process, a binder call to 'removeInputChannel' can interrupt and drain the waitQueue, causing the DispatchEntry to be deleted. If this entry was the last reference to the KeyEntry object, the KeyEntry will be freed. When the InputDispatcher later resumes and attempts to use the KeyEntry reference, it will point to deallocated memory, leading to a crash.

Remediation

Users can update their devices to the April 2025 security patch level to address this vulnerability.