Multiple vulnerabilities in Google Chromecast
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 19 |
| CVE-ID | CVE-2021-39704 CVE-2021-39809 CVE-2021-39808 CVE-2021-39807 CVE-2021-39707 CVE-2021-39706 CVE-2021-0957 CVE-2022-20363 CVE-2021-39803 CVE-2021-39667 CVE-2021-39700 CVE-2022-20007 CVE-2022-20005 CVE-2022-20004 CVE-2021-39796 CVE-2021-39692 CVE-2022-20114 CVE-2022-20011 CVE-2022-20112 |
| CWE-ID | CWE-264 CWE-200 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Chromecast Operating systems & Components / Operating system |
| Vendor |
Security Bulletin
This security bulletin contains information about 19 vulnerabilities.
1) Security restrictions bypass
EUVDB-ID: #VU61089
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39704
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to unspecified error in the Android kernel. A malicious application can escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU61994
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39809
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output. A local application can gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU61992
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39808
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to security restrictions bypass in System component. A local application can bypass implemented security restrictions and escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU61995
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39807
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to security restrictions bypass in System component. A local application can execute privileges on the system.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Security restrictions bypass
EUVDB-ID: #VU61091
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39707
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to unspecified error in the Android kernel. A malicious application can escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Security restrictions bypass
EUVDB-ID: #VU61090
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39706
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to unspecified error in the Android kernel. A malicious application can escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Security restrictions bypass
EUVDB-ID: #VU61085
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-0957
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to unspecified error in the Android kernel. A malicious application can escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU65425
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-20363
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to unspecified error in AMLogic in Chromecast. A local application can trigger the vulnerability to bypass security restrictions and escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Information disclosure
EUVDB-ID: #VU61990
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39803
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data in Media Framework Media Codecs. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Information disclosure
EUVDB-ID: #VU61083
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39667
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in media framework. A remote attacker can trick the victim to open a specially crafted media file and gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Information disclosure
EUVDB-ID: #VU65435
Risk: Low
CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39700
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A local application can gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Use-after-free
EUVDB-ID: #VU65432
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-20007
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in startActivityForAttachedApplicationIfNeeded of RootWindowContainer.java. A local application can trick the victim into opening a specially crafted file and escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU65429
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-20005
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to unspecified error in validateApkInstallLocked of PackageInstallerSession.java. A local application can trigger the vulnerability to bypass security restrictions and escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU65427
Risk: Low
CVSSv3.1: 7.3 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-20004
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to unspecified error in Chromecast Framework. A local application can trigger the vulnerability to bypass security restrictions and escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU61986
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39796
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions within Android framework. A local application can escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Security restrictins bypass
EUVDB-ID: #VU61077
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39692
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in Android Framework. A malicious application can trick the victim to perform certain actions and escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU65443
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-20114
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due the an error in placeCall of TelecomManager.java that allows an application to keep itself running with foreground service importance. A local application can can bypass security restrictions and escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU65444
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-20011
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to an a missing permissions check in the getArray() in NotificationManagerService.java. A local application can obtain notifications that belong to another application.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU65445
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-20112
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in getAvailabilityStatus in PrivateDnsPreferenceController.java. A local application can change private DNS settings and escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsChromecast: before 10 2022-02-05
External linkshttp://source.android.com/security/bulletin/chromecast/2022-07-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
