cbcvebase.
CVE-2022-20472
published 2022-12-13

CVE-2022-20472: In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.65%
93.0th percentile
In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-239210579

Affected

12 ranges
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
platformframeworks_minikin>= 10:0 < 10:2022-12-0110:2022-12-01
platformframeworks_minikin>= 11:0 < 11:2022-12-0111:2022-12-01
platformframeworks_minikin>= 12:0 < 12:2022-12-0112:2022-12-01
platformframeworks_minikin>= 12L:0 < 12L:2022-12-0112L:2022-12-01
platformframeworks_minikin>= 13:0 < 13:2022-12-0113:2022-12-01

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is in toLanguageTag function of LocaleListCache.cpp — monitor for crashes or anomalous behavior originating from locale/language tag processing in Android system processes
  • No user interaction required and no additional privileges needed — exploitation can occur remotely and silently, making network-facing Android devices at risk without any user action
  • Affects Android versions 10, 11, 12, 12L, and 13 — prioritize detection and patching on devices running these OS versions
  • Classified as Critical RCE — treat any out-of-bounds read signals in locale list processing as high-severity indicators of potential exploitation
  • ·The vulnerability is an out-of-bounds read due to an incorrect bounds check, not a logic/config flaw — no attacker-controlled configuration artifacts are documented in available sources
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.