CVE-2022-20008

Advisory lineage Upstream: 0 Downstream: 14

Downstream

DEBIAN-CVE-2022-20008 OPENSUSE-SU-2022:2177-1 SUSE-SU-2022:2078-1 SUSE-SU-2022:2079-1 SUSE-SU-2022:2177-1 SUSE-SU-2022:3584-1

Modified

Published: 10 May 2022, 19:56

Last modified:03 Aug 2024, 01:55

Vulnerability Summary

Overall Risk (default)

low

18/100

CVSS Score

4.6 MEDIUM

v3.1 (nvd)

EPSS Score

0.05% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

10 May 2022, 19:56

Published

Vulnerability first disclosed

03 Aug 2024, 01:55

Last Modified

Vulnerability information updated

Description

In mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized data. This could lead to local information disclosure if reading from an SD card that triggers errors, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-216481035References: Upstream kernel

CVSS Metrics

v3.1•MEDIUM•Score: 4.6CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
v2.0•LOW•Score: 2.1AV:L/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.05%• Percentile: 15%

Techniques & Countermeasures

CWE-908•Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.

Affected Systems

google•android
na

References (1)

https://source.android.com/security/bulletin/2022-05-01