Vulnerability identifier: #VU63352

Vulnerability risk: Low

CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-20008

CWE-ID: CWE-908

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Google Android
Operating systems & Components / Operating system

Vendor: Google

Description

The vulnerability allows a local application to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources within the mmc_blk_read_single() function in block.c. A local application can obtain potentially sensitive information from memory when reading from an SD card that triggers errors.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Google Android: 12L - 12L 2022-05-01, 12 - 12 2022-05-01, 11 - 11 2022-05-01, 10 - 10 2022-05-01

---

External links
http://source.android.com/security/bulletin/2022-05-01
http://android.googlesource.com/kernel/common/+/2aea7dc18f4249dc53e53598db50b59c26a60aeb
http://android.googlesource.com/kernel/common/+/8a3679a75730c1babde6bf63e35d227f3305bd90
http://android.googlesource.com/kernel/common/+/8f66dc1a78a743ea3c3f039500d2aa0cddd776d5

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.