#VU63352 Use of uninitialized resource in Google Android - CVE-2022-20008


Vulnerability identifier: #VU63352

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-20008

CWE-ID: CWE-908

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Google Android
Operating systems & Components / Operating system

Vendor: Google

Description

The vulnerability allows a local application to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources within the mmc_blk_read_single() function in block.c. A local application can obtain potentially sensitive information from memory when reading from an SD card that triggers errors.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Google Android: 10 2020-12-05 - 12

External links
https://source.android.com/security/bulletin/2022-05-01
https://android.googlesource.com/kernel/common/+/2aea7dc18f4249dc53e53598db50b59c26a60aeb
https://android.googlesource.com/kernel/common/+/8a3679a75730c1babde6bf63e35d227f3305bd90
https://android.googlesource.com/kernel/common/+/8f66dc1a78a743ea3c3f039500d2aa0cddd776d5

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC VxRail Appliance
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel