CVE-2022-20472
published 2022-12-13CVE-2022-20472: In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.65%
93.0th percentile
In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-239210579
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| platform | frameworks_minikin | >= 10:0 < 10:2022-12-01 | 10:2022-12-01 |
| platform | frameworks_minikin | >= 11:0 < 11:2022-12-01 | 11:2022-12-01 |
| platform | frameworks_minikin | >= 12:0 < 12:2022-12-01 | 12:2022-12-01 |
| platform | frameworks_minikin | >= 12L:0 < 12L:2022-12-01 | 12L:2022-12-01 |
| platform | frameworks_minikin | >= 13:0 < 13:2022-12-01 | 13:2022-12-01 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is in toLanguageTag function of LocaleListCache.cpp — monitor for crashes or anomalous behavior originating from locale/language tag processing in Android system processes ↗
- →No user interaction required and no additional privileges needed — exploitation can occur remotely and silently, making network-facing Android devices at risk without any user action ↗
- →Affects Android versions 10, 11, 12, 12L, and 13 — prioritize detection and patching on devices running these OS versions ↗
- →Classified as Critical RCE — treat any out-of-bounds read signals in locale list processing as high-severity indicators of potential exploitation ↗
- ·The vulnerability is an out-of-bounds read due to an incorrect bounds check, not a logic/config flaw — no attacker-controlled configuration artifacts are documented in available sources ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-42v3-m5qw-hx2j: In toLanguageTag of LocaleListCache
ghsa_unreviewed·2022-12-13
CVE-2022-20472 [CRITICAL] CWE-125 GHSA-42v3-m5qw-hx2j: In toLanguageTag of LocaleListCache
In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-239210579
OSV
CVE-2022-20472: In toLanguageTag of LocaleListCache
osv·2022-12-01
CVE-2022-20472 CVE-2022-20472: In toLanguageTag of LocaleListCache
In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
CISA ICS
Siemens SIMATIC
cisa_ics·2024-03-14
Siemens SIMATIC
ICS Advisory
##
Siemens SIMATIC
Release DateMarch 14, 2024
Alert CodeICSA-24-074-07
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Missing Encryption of Sensitive Data, Incorrect Permission Assignment for Critical Resource, Expected Beha
Android
CVE-2022-20472: Android Security Bulletin 2022-12-01
CVE: CVE-2022-20472
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 10, 11, 12, 12L, 13
References: A-239210
vendor_android·2022-12-01·CVSS 9.8
CVE-2022-20472 [CRITICAL] CVE-2022-20472: Android Security Bulletin 2022-12-01
CVE: CVE-2022-20472
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 10, 11, 12, 12L, 13
References: A-239210
Android Security Bulletin 2022-12-01
CVE: CVE-2022-20472
Severity: CRITICAL
Type: RCE
Affected AOSP versions: 10, 11, 12, 12L, 13
References: A-239210579
No detection rules found.
No public exploits indexed.
2022-12-13
Published