CVE-2022-20393Integer Underflow (Wrap or Wraparound) in Google Android

CWE-191Integer Underflow (Wrap or Wraparound)CWE-190Integer Overflow or Wraparound5 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 95.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Frameworks AVGoogle Android
Timeline
PublishedSep 13
Latest updateSep 14

Description

In extract3GPPGlobalDescriptions of TextDescriptions.cpp, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure from the media server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-233735886

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5google/androidAndroid-11 Android-12 Android-12L
NVDgoogle/android11.0, 12.0, 12.1+2
Androidplatform/frameworks_av13-next:013-next:2022-09-01+3

Patches

Patch: source.android.comPatch: source.android.com

🔴Vulnerability Details

3
GHSA
GHSA-jjm4-p9mf-6j8g: In extract3GPPGlobalDescriptions of TextDescriptions2022-09-14
CVEList
CVE-2022-20393: In extract3GPPGlobalDescriptions of TextDescriptions2022-09-13
OSV
CVE-2022-20393: In extract3GPPGlobalDescriptions of TextDescriptions2022-09-01

📋Vendor Advisories

1
Android
CVE-2022-20393: Android Security Bulletin 2022-09-01 CVE: CVE-2022-20393 Severity: HIGH Type: ID Affected AOSP versions: 11, 12, 12L References: A-2337358862022-09-01
CVE-2022-20393 — Integer Underflow (Wrap or Wraparound) | cvebase