CVE-2022-20473

CRITICAL

Android -10,11,12,12L,13 - RCE

Title source: llm

Description

In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-239267173

Exploits (2)

nomisec WORKING POC 1 stars

by Trinadh465 · poc

https://github.com/Trinadh465/frameworks_minikin_AOSP10_r33-CVE-2022-20473

View Code ZIP pw:eip

nomisec

by Trinadh465 · poc

https://github.com/Trinadh465/frameworks_minikin_AOSP10_r33_CVE-2022-20473

View on nomisec

References (1)

[Patch, Vendor Advisory] https://source.android.com/security/bulletin/2022-12-01

Scores

CVSS v3 9.8

EPSS 0.5088

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-125

Status published

Products (5)

google/android 10.0

google/android 11.0

google/android 12.0

google/android 12.1

google/android 13.0

Published Dec 13, 2022

Tracked Since Feb 18, 2026