CVE-2022-20130
published 2022-06-15CVE-2022-20130: In transportDec_OutOfBandConfig of tpdec_lib.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.33%
94.2th percentile
In transportDec_OutOfBandConfig of tpdec_lib.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-224314979
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| platform | external_aac | >= 10:0 < 10:2022-06-01 | 10:2022-06-01 |
| platform | external_aac | >= 11:0 < 11:2022-06-01 | 11:2022-06-01 |
| platform | external_aac | >= 12:0 < 12:2022-06-01 | 12:2022-06-01 |
| platform | external_aac | >= 12L-next:0 < 12L-next:2022-06-01 | 12L-next:2022-06-01 |
| platform | external_aac | >= 12L:0 < 12L:2022-06-01 | 12L:2022-06-01 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is in the `transportDec_OutOfBandConfig` function of `tpdec_lib.cpp` — monitor for heap buffer overflow exploitation attempts targeting Android media transport decoder (libFraunhoferAAC / libaudiodec) ↗
- →No user interaction required for exploitation — treat as remotely triggerable via malicious media content; monitor for unexpected crashes or memory corruption in Android media server processes ↗
- →Affected Android versions are 10, 11, 12, and 12L — prioritize detection and patching on unpatched devices running these OS versions ↗
- ·Patch is tracked under Android internal bug ID A-224314979; verify patch presence via June 2022 Android Security Patch Level (2022-06-01) or later ↗
- ·Severity is rated CRITICAL with RCE impact and no privilege escalation required, meaning exploitation requires no additional execution privileges ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w6c5-392v-rp9c: In transportDec_OutOfBandConfig of tpdec_lib
ghsa_unreviewed·2022-06-16
CVE-2022-20130 [CRITICAL] CWE-787 GHSA-w6c5-392v-rp9c: In transportDec_OutOfBandConfig of tpdec_lib
In transportDec_OutOfBandConfig of tpdec_lib.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-224314979
OSV
CVE-2022-20130: In transportDec_OutOfBandConfig of tpdec_lib
osv·2022-06-01
CVE-2022-20130 CVE-2022-20130: In transportDec_OutOfBandConfig of tpdec_lib
In transportDec_OutOfBandConfig of tpdec_lib.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
CISA ICS
Siemens SIMATIC
cisa_ics·2024-03-14
Siemens SIMATIC
ICS Advisory
##
Siemens SIMATIC
Release DateMarch 14, 2024
Alert CodeICSA-24-074-07
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Missing Encryption of Sensitive Data, Incorrect Permission Assignment for Critical Resource, Expected Beha
Android
CVE-2022-20130: Android Security Bulletin 2022-06-01
CVE: CVE-2022-20130
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 10, 11, 12, 12L
References: A-224314979
vendor_android·2022-06-01·CVSS 9.8
CVE-2022-20130 [CRITICAL] CVE-2022-20130: Android Security Bulletin 2022-06-01
CVE: CVE-2022-20130
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 10, 11, 12, 12L
References: A-224314979
Android Security Bulletin 2022-06-01
CVE: CVE-2022-20130
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 10, 11, 12, 12L
References: A-224314979
No detection rules found.
No public exploits indexed.
2022-06-15
Published