CVE-2022-20360

HIGH

Android - Local Privilege Escalation via SecureNfcPreferenceController

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-20360. PoCs published by 726232111.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2022-20360, targeting Android Open Source Project (AOSP) version 10 r33. The exploit appears to involve the Settings app, with multiple Java files modified to demonstrate the vulnerability.

Description

In setChecked of SecureNfcPreferenceController.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228314987

Exploits (1)

nomisec WORKING POC
by 726232111 · poc
https://github.com/726232111/packages_apps_Settings_AOSP_10_r33_CVE-2022-20360

This repository contains a proof-of-concept exploit for CVE-2022-20360, targeting Android Open Source Project (AOSP) version 10 r33. The exploit appears to involve the Settings app, with multiple Java files modified to demonstrate the vulnerability.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Android Open Source Project (AOSP) 10 r33
No auth needed
Prerequisites: Access to the target Android device · Ability to install or modify the Settings app
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://source.android.com/security/bulletin/2022-08-01

Scores

CVSS v3 7.8
EPSS 0.0019
EPSS Percentile 8.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-269 CWE-862
Status published
Products (4)
google/android 10.0
google/android 11.0
google/android 12.0
google/android 12.1
Published Aug 10, 2022
Tracked Since Feb 18, 2026