Multuiple vulnerabilities in Google Pixel
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2022-28388 CVE-2022-25654 CVE-2022-25653 CVE-2022-20231 CVE-2022-20364 |
| CWE-ID | CWE-415 CWE-119 CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Pixel Mobile applications / Mobile firmware & hardware |
| Vendor |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Double Free
EUVDB-ID: #VU63160
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-28388
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code with elevated privileges.
The vulnerability exists due to boundary error in the usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c. A local user can pass specially crafted data to the application, trigger double free error and execute arbitrary code with elevated privileges.
MitigationInstall update from vendor's website.
Vulnerable software versionsPixel: before 12L 2022-09-05
External linkshttp://source.android.com/docs/security/bulletin/pixel/2022-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU67092
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25654
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing ION commands within kernel. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsPixel: before 12L 2022-09-05
External linkshttp://source.android.com/docs/security/bulletin/pixel/2022-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU67085
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25653
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when processing AVI files. A remote attacker can create a specially crafted AVI file, trick the victim into playing it, trigger an out-of-bounds read error and read contents of memory on the system or crash the application.
MitigationInstall update from vendor's website.
Vulnerable software versionsPixel: before 12L 2022-09-05
External linkshttp://source.android.com/docs/security/bulletin/pixel/2022-09-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU67093
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-20231
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Trusty component. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsPixel: before 12L 2022-09-05
External linkshttp://source.android.com/docs/security/bulletin/pixel/2022-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU67094
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-20364
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the kernel component. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
MitigationInstall update from vendor's website.
Vulnerable software versionsPixel: before 12L 2022-09-05
External linkshttp://source.android.com/docs/security/bulletin/pixel/2022-09-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
