cbcvebase.
CVE-2022-20140
published 2022-06-15

CVE-2022-20140: In read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.52%
94.4th percentile
In read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-227618988

Affected

7 ranges
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
platformpackages_modules_bluetooth>= 12L-next:0 < 12L-next:2022-06-0112L-next:2022-06-01
platformsystem_bt>= 12:0 < 12:2022-06-0112:2022-06-01
platformsystem_bt>= 12L:0 < 12L:2022-06-0112L:2022-06-01

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is in the Bluetooth GATT server code path — specifically the `read_multi_rsp` function in `gatt_sr.cc`. Monitor for anomalous Bluetooth GATT Read Multiple responses that trigger out-of-bounds writes on Android 12 / 12L devices.
  • No user interaction is required and no additional execution privileges are needed — exploitation can be triggered remotely over Bluetooth, making this a zero-click remote attack vector. Prioritize detection of unexpected Bluetooth GATT traffic to unpatched Android 12/12L devices.
  • Affected platform versions are Android 12 and Android 12L only. Scope detection and patch-verification efforts to devices running these specific AOSP versions.
  • ·This is rated CRITICAL severity (EoP) by Android Security Bulletin June 2022. Patch is tracked under Android bug ID A-227618988; verify devices have applied the 2022-06-01 security patch level or later.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.