CVE-2022-20008Use of Uninitialized Resource in Google Android

CWE-908Use of Uninitialized Resource10 documents6 sources
Severity
4.6MEDIUMNVD
OSV5.6OSV4.7
EPSS
0.1%
top 82.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Linux KernelDebian LinuxGoogle Android
Timeline
PublishedMay 10
Latest updateMay 12

Description

In mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized data. This could lead to local information disclosure if reading from an SD card that triggers errors, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-216481035References: Upstream kernel

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages4 packages

Debianlinux/linux_kernel< 5.10.103-1+3
Ubuntulinux/linux_kernel< 5.4.0-110.124
debiandebian/linux< linux 5.16.11-1 (bookworm)

🔴Vulnerability Details

5
OSV
linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, li2022-05-12
OSV
linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-raspi vulnerabilities2022-05-12
GHSA
GHSA-83pw-hvj9-wh3j: In mmc_blk_read_single of block2022-05-11
OSV
CVE-2022-20008: In mmc_blk_read_single of block2022-05-10
OSV
CVE-2022-20008: In mmc_blk_read_single of block2022-05-01

📋Vendor Advisories

4
Ubuntu
Linux kernel vulnerabilities2022-05-12
Ubuntu
Linux kernel vulnerabilities2022-05-12
Android
CVE-2022-20008: SD MMC2022-05-01
Debian
CVE-2022-20008: linux - In mmc_blk_read_single of block.c, there is a possible way to read kernel heap m...2022
CVE-2022-20008 — Use of Uninitialized Resource | cvebase