cbcvebase.
CVE-2022-20473
published 2022-12-13

CVE-2022-20473: In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.85%
94.6th percentile
In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-239267173

Affected

12 ranges
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
platformframeworks_minikin>= 10:0 < 10:2022-12-0110:2022-12-01
platformframeworks_minikin>= 11:0 < 11:2022-12-0111:2022-12-01
platformframeworks_minikin>= 12:0 < 12:2022-12-0112:2022-12-01
platformframeworks_minikin>= 12L:0 < 12L:2022-12-0112L:2022-12-01
platformframeworks_minikin>= 13:0 < 13:2022-12-0113:2022-12-01

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is in the `toLanguageTag` function of `LocaleListCache.cpp` — monitor for crashes or anomalous behavior in locale-handling code paths on Android 10–13
  • No user interaction required and no additional privileges needed — exploitation can be fully remote and silent; prioritize detection of unexpected remote code execution on unpatched Android 10/11/12/12L/13 devices
  • Track Android Security Bulletin 2022-12-01 patch level on managed devices; devices reporting a security patch level earlier than 2022-12-01 remain vulnerable to this Critical RCE
  • ·No public proof-of-concept exploit, specific payload, or network indicators were disclosed in the available sources; concrete IOCs (hashes, IPs, domains, signatures) cannot be extracted from the provided documentation
  • ·The Android bug tracker reference (A-239267173) is the only cross-reference identifier available; additional technical details are gated behind Google's internal tracker and not publicly accessible
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.