Multiple vulnerabilities in Google Android



Published: 2022-08-03
Risk High
Patch available YES
Number of vulnerabilities 19
CVE-ID CVE-2022-22080
CVE-2022-25668
CVE-2022-22070
CVE-2022-22069
CVE-2022-22067
CVE-2022-22062
CVE-2022-22061
CVE-2022-22059
CVE-2021-30259
CVE-2022-20239
CVE-2022-1786
CVE-2022-20082
CVE-2022-20122
CVE-2021-39815
CVE-2021-0947
CVE-2021-0946
CVE-2021-0891
CVE-2021-0887
CVE-2021-0698
CWE-ID CWE-119
CWE-415
CWE-310
CWE-401
CWE-125
CWE-787
CWE-129
CWE-20
CWE-416
CWE-362
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Google Android
Operating systems & Components / Operating system

Vendor Google

Security Bulletin

This security bulletin contains information about 19 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU65956

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-22080

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Audio component when validating backend id in PCM routing process. A remote attacker can trick the victim into opening a specially crafted file, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Double Free

EUVDB-ID: #VU65947

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-25668

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when handling ASF clips. A remote attacker can trick the victim to open a specially crafted video file, trigger a double free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Buffer overflow

EUVDB-ID: #VU65953

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-22070

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing entries in ARP routing table in Video component. A remote attacker on the local network can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Cryptographic issues

EUVDB-ID: #VU65952

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-22069

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to devices with keyprotect off may store unencrypted keybox in RPMB. A local application can gain access to potentially sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Memory leak

EUVDB-ID: #VU65951

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-22067

CWE-ID: CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when processing NSA RRC Reconfiguration with invalid Radio Bearer Config. A remote attacker can send specially crafted traffic to the system, force it to leak memory and perform denial of service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Out-of-bounds read

EUVDB-ID: #VU65950

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-22062

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in Data Modem. A remote attacker can pass specially crafted content to the system, trigger an out-of-bounds read error and read contents of memory on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Out-of-bounds write

EUVDB-ID: #VU65949

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-22061

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error when verifying device IDs. A local application can trigger an out-of-bounds write and execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Improper Validation of Array Index

EUVDB-ID: #VU65946

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-22059

CWE-ID: CWE-129 - Improper Validation of Array Index

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing video content. A remote attacker can create a specially crafted video file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Input validation error

EUVDB-ID: #VU57896

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-30259

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the system.

The vulnerability exists due to improper validation of function table entries in Audio. A local user can pass specially crafted input to the application and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Input validation error

EUVDB-ID: #VU66079

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-20239

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to unspecified vulnerability in Unisoc VSP. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Use-after-free

EUVDB-ID: #VU64260

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1786

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in the Linux kernel’s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. A local user can trigger use-after-free to crash the system or escalate their privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Race condition

EUVDB-ID: #VU65026

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-20082

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a race condition in GPU component. A local application can exploit the race to trigger a use-after-free error and escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Input validation error

EUVDB-ID: #VU66078

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-20122

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to unspecified vulnerability in the PowerVR-GPU kernel driver. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Input validation error

EUVDB-ID: #VU66077

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-39815

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to unspecified vulnerability in the PowerVR-GPU kernel driver. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) Input validation error

EUVDB-ID: #VU66076

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0947

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to unspecified vulnerability in the PowerVR-GPU kernel driver. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

16) Input validation error

EUVDB-ID: #VU66075

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0946

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to unspecified vulnerability in the PowerVR-GPU kernel driver. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

17) Input validation error

EUVDB-ID: #VU66074

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0891

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to unspecified vulnerability in the PowerVR-GPU kernel driver. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

18) Input validation error

EUVDB-ID: #VU66073

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0887

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to unspecified vulnerability in the PowerVR-GPU kernel driver. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

19) Input validation error

EUVDB-ID: #VU66072

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0698

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to unspecified vulnerability in the PowerVR-GPU kernel driver. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 12 - 12L 2022-08-01, 11 - 11 2022-08-01, 10 - 10 2022-08-01


CPE2.3 External links

http://source.android.com/security/bulletin/2022-08-01#2022-08-05-security-patch-level-vulnerability-details

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###