CVE-2021-35097 — Improper Verification of Cryptographic Signature in Google Android

CWE-347 — Improper Verification of Cryptographic Signature4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

0.0%

top 90.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Android

Timeline

PublishedSep 2

Latest updateJan 1

Description

Possible authentication bypass due to improper order of signature verification and hashing in the signature verification call in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages1 packages

▶googlegoogle/android

🔴Vulnerability Details

GHSA

GHSA-mp2x-rxhg-987g: Possible authentication bypass due to improper order of signature verification and hashing in the signature verification call in Snapdragon Auto, Snap↗2022-09-03

▶

📋Vendor Advisories

Android

CVE-2021-35097: Closed-source component↗2023-01-01

▶

Red Hat

snapdragon: authentication bypass↗2022-09-02

▶