Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.

hello,i have discussed with security engineer from liblzma,the vulnerability may caused by zipx\_lzma\_alone\_init().if you have time,please debug to check it.look forward to you reply thanks. The Message records bellow: On 2022-03-18 jun ma wrote: &gt; oh，thanks for your reply ，i have debuged it using gdb and discussed &gt; with security&nbsp; engineer from libarchive,it &gt; &gt; high possibility caused by liblzma.when you have time, hope you can &gt; take some time to have a look.thanks! The problem is that lzma\_code() is called with lzma\_stream.avail\_in set to 18446744073709551607 which equals -9 when interpret as a signed value. That is, it's a bug in libarchive. I attached a patch that adds a few fprintf() calls to libarchive which show how the incorrect value comes from zipx\_lzma\_alone\_init() but I didn't debug how to fix it. Here is the output: DEBUG: libarchive/archive\_read\_support\_format\_zip.c:1607: init DEBUG: libarchive/archive\_read\_support\_format\_zip.c:1728: zip-&gt;entry\_bytes\_remaining = 1 DEBUG: libarchive/archive\_read\_support\_format\_zip.c:1859: zip-&gt;entry\_bytes\_remaining = 1, bytes\_avail = 94559 DEBUG: libarchive/archive\_read\_support\_format\_zip.c:1916: zip-&gt;entry\_bytes\_remaining = 1, to\_consume = 1 DEBUG: libarchive/archive\_read\_support\_format\_zip.c:1607: init DEBUG: libarchive/archive\_read\_support\_format\_zip.c:1728: zip-&gt;entry\_bytes\_remaining = 1 DEBUG: libarchive/archive\_read\_support\_format\_zip.c:1859: zip-&gt;entry\_bytes\_remaining = 1, bytes\_avail = 94501 DEBUG: libarchive/archive\_read\_support\_format\_zip.c:1916: zip-&gt;entry\_bytes\_remaining = 1, to\_consume = 1 DEBUG: libarchive/archive\_read\_support\_format\_zip.c:1607: init DEBUG: libarchive/archive\_read\_support\_format\_zip.c:1728: zip-&gt;entry\_bytes\_remaining = -9 DEBUG: libarchive/archive\_read\_support\_format\_zip.c:1859: zip-&gt;entry\_bytes\_remaining = -9, bytes\_avail = 94443 Can you forward the above information to libarchive developers? Thank you for your effort to look for bugs and reporting them! Two minor things for the future: I understand that sending the bad .zip file directly as an attachment doesn't work for some destinations because antivirus products can block such emails (GMail does). I could extract the .rar with 7z from p7zip so it wasn't a problem for me, but in general free software developers prefer exchanging information using fully open formats like .zip, .7z, or .tar + some compressor. .zip with its very old (and insecure) encryption is supported widely. I tested this with GMail: &nbsp; &nbsp; zip -e badfile.zip badfile.bin&nbsp; # password set to 123456 This worked. Without encryption it was rejected. I think the filename inside the encrypted .zip must be something like .bin instead of .zip since filenames aren't encrypted. The second thing is that I did receive the email with the subject crash-58af2238755ec09600f15fed6e3e606c09638f42 but I wasn't on my computer during those days, so I was slow to reply, sorry. (My email provider doesn't block attachments as easily as GMail does.) The email contained a 46-megabyte attachment (base64-encoded size) which I suppose was the test program binary. That is a fairly big file to attach and most people (me included) won't run binaries received in email. Again, thanks for your help in finding and reporting bugs!

…

\-- Lasse Collin

\------------------&nbsp;原始邮件&nbsp;------------------ 发件人: "马骏" \*\*\*@\*\*\*.\*\*\*&gt;; 发送时间:&nbsp;2022年3月4日(星期五) 下午5:15 \*\*\*@\*\*\*.\*\*\*&gt;; 主题:&nbsp;回复：转发：回复： \[libarchive/libarchive\] The libarchive lib exist a READ memory access Vulnerability (Issue #1672) Please ask if this vulnerability has been confirmed

\------------------ 原始邮件 ------------------ 发件人: "马骏" \*\*\*@\*\*\*.\*\*\*&gt;; 发送时间:&nbsp;2022年3月4日(星期五) 上午10:33 \*\*\*@\*\*\*.\*\*\*&gt;; 主题:&nbsp;回复：转发：回复： \[libarchive/libarchive\] The libarchive lib exist a READ memory access Vulnerability (Issue #1672) Please ask if this vulnerability has been confirmed

\------------------ 原始邮件 ------------------ 发件人: "马骏" \*\*\*@\*\*\*.\*\*\*&gt;; 发送时间:&nbsp;2022年2月26日(星期六) 晚上6:31 \*\*\*@\*\*\*.\*\*\*&gt;; 主题:&nbsp;转发：回复： \[libarchive/libarchive\] The libarchive lib exist a READ memory access Vulnerability (Issue #1672) i have send this mail ,you can see this

\---原始邮件--- 发件人: \*\*\*@\*\*\*.\*\*\*&gt; 发送时间: 2022年2月26日(周六) 下午5:45 收件人: \*\*\*@\*\*\*.\*\*\*&gt;; 主题: 回复： \[libarchive/libarchive\] The libarchive lib exist a READ memory access Vulnerability (Issue #1672) hello,the testcase 、 source file 、crash file see the attachments。Besides，i have Submit cve aim at this question

\------------------ 原始邮件 ------------------ 发件人: "libarchive/libarchive" \*\*\*@\*\*\*.\*\*\*&gt;; 发送时间:&nbsp;2022年2月26日(星期六) 下午5:12 \*\*\*@\*\*\*.\*\*\*&gt;; \*\*\*@\*\*\*.\*\*\*\*\*\*@\*\*\*.\*\*\*&gt;; 主题:&nbsp;Re: \[libarchive/libarchive\] The libarchive lib exist a READ memory access Vulnerability (Issue #1672) @icycityone what we need is a sample test file to reproduce the vulnerability — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.Message ID: \*\*\*@\*\*\*.\*\*\*&gt;

CVE-2022-26280: The libarchive lib exist a READ memory access Vulnerability · Issue #1672 · libarchive/libarchive

The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation.

`#############################################################   #   # COMPASS SECURITY ADVISORY   # https://www.compass-security.com/research/advisories/   #   #############################################################   #   # Product: 3CX Client for Windows (legacy), Android & iOS   # Vendor: 3CX   # CSNC ID: CSNC-2021-021   # CVE ID: CVE-2021-45490   # Subject: Missing Certificate Verification   # CWE-ID: CWE-295 (Improper Certificate Validation)   # Severity: Medium   # Effect: Network Traffic Decryption and Manipulation   # Author: Emanuel Duss <emanuel.duss@compass-security.com>   # Date: 2022-03-17   #   #############################################################  Introduction   ------------  3CX is an open-platform office phone system that runs on premise on Windows or   Linux. 3CX was built for mobility, with remote work apps that offer secured   communication for the whole team. With the Android, iOS and Windows apps,   business communication is no longer tied to the office building. [1]  During a customer project, we identified a security vulnerability in the 3CX   clients for Windows (legacy), Android and iOS. These applications do not verify   the TLS certificate of the 3CX server.  Affected   --------  - All versions of the 3CX application for Windows (legacy), Android and iOS are   affected.   - There is no fix from the vendor at the moment.   - The new Electron based 3CX Desktop App is not affected.  Description   -----------  The 3CX clients for Windows (legacy), Android, and iOS do not verify the TLS   certificate of the 3CX server.  This allows an attacker between the 3CX application and the 3CX server to split   the TLS traffic and therefore read and manipulate the transmitted data.  For example, the data required for provisioning a new device can be read every   time when the app is started. This data can then be used to provision another   app.  Thus, attackers can provision an own device and use the entire functionality of   the app. This includes:  - List companies in the phone book   - Make phone calls   - Listen to voice box   - etc.  This attack can for example be reproduced by performing an ARP spoofing attack   in the network against the target client and by using Burp Suite as a   transparent HTTP proxy.  Vulnerability Classification   ----------------------------  CVSS v3.1 Metrics [2]:  - CVSS Base Score: 6.5 (Medium)   - CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N  Workaround / Fix   ----------------  # 3CX Vendor  The app should correctly verify the server's certificate using the system CA   store or implement certificate pinning in the apps.  # 3CX Users  There is no security update for this vulnerability at the moment. According to   the 3CX, the vulnerability will be tackled in future redesigns of the mobile   apps.  Users of the legacy Windows client can switch to the new Electron based 3CX   Desktop App which is not affected.  Timeline   --------  2021-12-16: Vulnerability discovered   2021-12-17: Discussed vulnerability with our customer   Asked 3CX for security contact on Twitter, community forum, support   email and contact form.   Got response via support mail. Security contact was dpo@3cx.com   Provided details   Requested CVE ID @ MITRE   2021-12-25: Assigned CVE-2021-45490   2022-01-03: Asked vendor if they understood the vulnerability.   Answer: Report was distributed internally.   2022-01-18: Asked vendor for any updates.   2022-02-02: Asked vendor for any updates.   2022-02-10: Asked vendor for any updates. 3CX can't tell when the issue will   be fixed.   2022-03-11: Asked vendor for any updates. 3CX thanked for the report.   Issues will be tackled in future redesigns of the mobile apps.   2022-03-17: Coordinated public disclosure  Acknowledgement   ---------------  Thanks 3CX for the coordinated dicslosure.  References   ----------  [1] https://www.3cx.com/   [2] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N&version=3.1  `

CVE-2021-45490: 3CX Client Missing TLS Validation ≈ Packet Storm

3CX System through 2022-03-17 stores cleartext passwords in a database.

`#############################################################   #   # COMPASS SECURITY ADVISORY   # https://www.compass-security.com/research/advisories/   #   #############################################################   #   # Product: 3CX Phone System   # Vendor: 3CX   # CSNC ID: CSNC-2021-022   # CVE ID: CVE-2021-45491   # Subject: Exportable Cleartext Passwords   # CWE-ID: CWE-257 (Storing Passwords in a Recoverable Format)   # Severity: Medium   # Effect: Credential Reuse   # Author: Emanuel Duss <emanuel.duss@compass-security.com>   # Date: 2022-03-17   #   #############################################################  Introduction   ------------  3CX is an open-platform office phone system that runs on premise on Windows or   Linux. 3CX was built for mobility, with remote work apps that offer secured   communication for the whole team. With the Android, iOS and Windows apps,   business communication is no longer tied to the office building. [1]  During a customer project, we identified a security vulnerability in the 3CX   system. The user passwords of the 3CX system are stored in plain text in the   database and are also exportable in the administration interface.  Affected   --------  - All versions of the 3CX application are affected.   - There is no fix from the vendor.  Description   -----------  The user passwords of the 3CX system are stored in plain text in the database   and are also exportable in the administration interface.  This can be verified by exporting the credentials via the admin interface or by   looking into the SQL database. This issue is also already documented in the   community forum since 2019 [2].  The storage of passwords in a recoverable format makes them subject to password   reuse attacks by malicious users. In fact, it should be noted that recoverable   encrypted passwords provide no significant benefit over plaintext passwords   since they are subject not only to reuse by malicious attackers but also by   malicious insiders. If a system administrator can recover a password directly,   or use a brute force search on the available information, the administrator can   use the password on other accounts. [3]  Vulnerability Classification   ----------------------------  CVSS v3.1 Metrics [4]:  - CVSS Base Score: 5.5 (Medium)   - CVSS Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N  Workaround / Fix   ----------------  # 3CX Vendor  A password hash function such as PBKDF2, bcrypt or scrypt should be used for   passwords. The passwords should also be provided with a salt that is generated   individually for each user. This can make attacks that use rainbow tables or   pre-calculated wordlists more difficult.  # 3CX Users  There is no security update for this vulnerability at the moment. According to   the 3CX, the vulnerability will be tackled in future redesigns of the   management console.  Timeline   --------  2021-12-16: Vulnerability discovered   2021-12-17: Discussed vulnerability with our customer   Asked 3CX for security contact on Twitter, community forum, support   email and contact form.   Got response via support mail. Security contact was dpo@3cx.com   Provided details   Requested CVE ID @ MITRE   2021-12-25: Assigned CVE-2021-45491   2022-01-03: Asked vendor if they understood the vulnerability.   Answer: Report was distributed internally.   2022-01-18: Asked vendor for any updates.   2022-02-02: Asked vendor for any updates.   2022-02-10: Asked vendor for any updates. 3CX can't tell when the issue will   be fixed.   2022-03-11: Asked vendor for any updates. 3CX thanked for the report. Issues   will be tackled in future redesigns of the management console.   2022-03-17: Coordinated public disclosure  Acknowledgement   ---------------  Thanks 3CX for the coordinated disclosure.  References   ----------  [1] https://www.3cx.com/   [2] https://www.3cx.de/forum/threads/klartext-passwort-willkommen-mail-also-auch-in-db.94280/   [3] https://cwe.mitre.org/data/definitions/257.html   [4] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N&version=3.1  `

CVE-2021-45491: 3CX Phone System Cleartext Passwords ≈ Packet Storm

The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker's web site.

Press Releases | 8 February 2022

******New address bar vulnerabilities found in DuckDuckGo and Tap Browser, disclosed by Cyber Citadel researchers, could affect millions of iOS and Android users******

Cyber Citadel’s Lead Security Researcher Rafay Baloch and Security Researcher Muhammad Samak disclosed address bar spoofing vulnerabilities today in the DuckDuckGo browser for iOS, Video Downloader Browser for Android and Tap Browser for iOS mobile web browser applications

These flaws can be exploited, by potentially tricking users into supplying sensitive information to a malicious website. Our discovery found that a malicious attacker could easily lead the unsuspecting users to believe that they are visiting a legitimate website as the address bar points to the correct website. It is pertinent to mention here that, Cyber Citadel, as a part of its responsible disclosure policy gave a time frame of 60 days to all three browsers to fix these vulnerabilities. At the time of publishing this disclosure, the issue was only addressed by DuckDuckGo.

****Address Bar Spoofing Vulnerabili**es**

Mobile web browser address bar spoofing allows an attacker to change the URL of a malicious website to one that represents a legitimate website i.e. google.com, bing.com, facebook.com, or apple.com, for example.

This vulnerability bypasses the security certificates built into most modern mobile address bars. Desktop web browsers designate a website as safe by the lock icon on the far left of an address bar that ‘guarantees’ a website has a valid SSL certificate and is, therefore, secure.

On the other hand, security indicators on mobile devices are harder to find, due to the lack of screen real-estate, and restrict the ability to interrogate security elements. With typical users being unaware of website validation on mobile web browsers, cybercriminals are free to insert fake malicious pages with spoofed URL addresses.

Address bar spoofing traditionally scores approximately 4.3 out of 10 on the Common Vulnerability Scoring System (CVSS), technically assigning address bar spoofing with a moderate impact.

However, given the substantial 667% rise in spear-phishing attacks experienced during the COVID-19 pandemic, mobile address bar spoofing should arguably be held in higher regard. In a survey conducted by Mimecast, 2.1 million domains were tied to phishing attacks, with 47% of successful attacks making use of fraudulent websites. The disclosed DuckDuckGo and Tap Browser vulnerabilities directly tie into these figures by allowing cybercriminals to make fraudulent websites more believable and, therefore, more successful in harvesting sensitive information.

**DuckDuckGo**

‘Hatched’ in 2008, DuckDuckGo has become a popular web browsing tool downloaded 5 million times per month as a mobile application or desktop extension. It gives users the ability to browse the web privately, while protecting users from internet trackers.

The recent address bar spoofing CVE-2021-44683 disclosed by Baloch and Samak considerably weakens DuckDuckGo’s promised privacy protections for iOS users.

In the proof of concept (POC), Baloch and Samak revealed that version 7.64.4 of DuckDuckGo’s iOS application was prone to address bar spoofing due to a mishandling of JavaScript’s window.open function used to open a secondary window.

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/DDG-POC-copy-1.jpg)

DuckDuckGo address bar spoofing POC

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/DDG-Evidence.jpg)

DuckDuckGo address bar spoofing evidence

When exploited by a bad actor, an address bar in a secondary window opened in DuckDuckGo would display a legitimate URL despite being hosted by an attacker. This fraudulent page could be designed to trick users into supplying sensitive PII such as usernames and passwords.

**Tap Browser**

Built exclusively for iOS, Tap Browser is used for its additional web browsing functionalities such as easy navigation icons, in-app media players and an in-built VPN service.

Although a relatively low user base (7,000 downloads), the Tap Browser address bar spoofing vulnerability part of the CVE-2021-44683 disclosed by Baloch and Samak was open to secondary window exploitation.

In the POC, Baloch and Samak demonstrated how a secondary window could be spoofed by a bad actor to replicate Facebook, Gmail, Apple and Bing browsers.

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-1.jpg)

1\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS1.png)

1\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-2.jpeg)

2\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS2.png)

2\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-3.jpeg)

3\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS3.png)

3\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-4.jpg)

4\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS4.png)

4\. Evidence of address bar spoofing in Tap Browser

**Response from Vendors**

**Vendor**

**Service**

**Version**

**Platform**

**Reported Date**

**Fixed**

**CVE**

DuckDuckGo

DuckDuckGo

7.64.4

iOS

26/09/21

7.64.18

CVE-2021-44683

Tap Browser

Tap Browser

1.2

iOS

26/09/21

Unfixed

N/A

**HexCon Talk on Address Bar Spoofing Flaws**

This is not the first time, Rafay Baloch has found flaws in browsers. In October 2021 at the Hexcon Security conference, Rafay Baloch presented his findings across various mobile browsers titled “What you see, is not always what you get”. Various categories of address bar spoofing vulnerabilities were discussed along with how these vulnerabilities can be used to abuse security mechanisms in browsers.

**Previous CVEs Disclosed by Cyber Citadel Researchers**

This disclosure by Cyber Citadel security researchers comes a year after Rafay Baloch teamed up with Rapid7’s Director of Research Tod Beardsley to disclose a similar address bar vulnerability across seven mobile web browsers including Apple Safari and Opera Touch.

Baloch reported multiple vulnerabilities on Chrome and Firefox browsers in 2016, Google Inc’s Android browser in 2014, and was paid a total of US$10,000 for reporting a Code Execution/Command Execution vulnerability on PayPal’s sub-domain in 2012. He is considered one of the world’s top ethical hackers and listed in the Google, Facebook, PayPal and Microsoft Hall of Fame.

CVE-2021-44683: Multiple Address Bar Spoofing Flaws in Mobile Browsers - Cyber Citadel

Unauthenticated Stored Cross-Site Scripting (XSS) in Simple Ajax Chat <= 20220115 allows an attacker to store the malicious code. However, the attack requires specific conditions, making it hard to exploit.

CVE-2022-25610: Simple Ajax Chat

Whatsapp iOS 2.19.80 and prior and Android 2.19.222 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.

**CWE-451: User Interface (UI) Misrepresentation of Critical Information.**

> _The user interface does not properly represent critical information to the user, allowing the information to be spoofed. This is often a component in online scams, phishing and disinformation propagation._

When a message contains a valid URL, it is highlighted and marked as hyperlink. However, this is printed to screen before sanitizing Unicode Control Characters, which results in URI spoofing via specially crafted messages.

`Affects all recent distributions of iOS iMessage, WhatsApp, Instagram, and Facebook Messenger as of 2019.8.15`

WhatsApp

Instagram DM

![POCW](https://github.com/zadewg/RIUS/raw/master/whatsapp.gif)

![POCI](https://github.com/zadewg/RIUS/raw/master/instagram.gif)

**mapez** - telegram

CVE-2020-20096: GitHub - zadewg/RIUS: RTLO Injection URI Spoofing

The UNISOC chipset through 2022-03-15 allows attackers to obtain remote control of a mobile phone, e.g., to obtain sensitive information from text messages or the device's screen, record video of the device's physical environment, or modify data.

News

**Kryptowire Identifies Security and Privacy Vulnerability in Mobile Device Chipset from China**

![](https://cdn.statically.io/img/www.kryptowire.com/wp-content/uploads/2022/03/Kryptowire-Identifies-Security_Large.png?quality=100&f=auto)

**March 15, 2022 – McLean, VA, United States –** Kryptowire Inc., a mobile security and privacy solutions company, today announced that they have identified a critical security and privacy vulnerability affecting mobile devices with UNISOC, China’s largest designer of chips for mobile phones. The vulnerability within the chipset, if exploited, allows malicious actors to take control over user data and device functionality.

Specifically, the vulnerability allows intruders to access call and system logs, text messages, contacts, and other private data, video record the device’s screen or use the external-facing camera to record video, or even take control of the device remotely, altering or wiping data. Adhering to its disclosure policy, Kryptowire notified affected device manufacturers and carriers, as well as UNISOC, of the vulnerability in December 2021.

“In an increasingly competitive mobile device market, it’s imperative that device manufacturers establish and maintain trust among carriers and end users,” Alex Lisle, Chief Technical Officer, Kryptowire. “Kryptowire’s core technology, which provides rapid, automatic vulnerability scanning without intrusion into end user data, helps stakeholders find and remediate critical security and privacy gaps faster and more efficiently, increasing confidence in the face of complex security challenges.”

Mobile device and operating system (iOS and Android) use has increased rapidly in the pandemic era, especially as more exchanges, transactions, and communications go “mobile-first.” This combined with the new found risks in the supply-chain has resulted in oversights and security flaws. Accordingly, businesses need AI enabled cloud-based mobile security solutions that not only safeguard mobile devices from bad actors, but also provide intrusion-free protection to its end users. In 2021 alone, Kryptowire scanned over 3 billion lines of code across 70,000 applications, discovering over 500 vulnerabilities affecting approximately 2 billion devices.

Founded in 2011, Kryptowire developed and launched its Mobile Application Security Testing (MAST) service, leveraging its military-grade proprietary analysis engine. This AI enabled cloud-based service gives organizations the ability to automatically scan mobile content for security, privacy, and compliance issues without accessing source code. This saves time, reduces human resource burdens, and preserves end user privacy.

**About Kryptowire**

Kryptowire is a leader in cloud-based mobile security and privacy solutions, delivering organizations and end-users the peace of mind that comes with intrusion-free mobile security. We enable organizations to scan mobile devices and applications for security, compliance, and other vulnerabilities without accessing source code, saving time and preserving privacy. Our mission is to make world-class mobile security available to more businesses and communities around the world.

Please visit www.kryptowire.com or connect with us on LinkedIn and Twitter (@kryptowire) for more information.

**Media Contact**  
media@kryptowire.com

News

**Kryptowire Identifies Security and Privacy Vulnerability in Mobile Device Chipset from China**

![](https://cdn.statically.io/img/www.kryptowire.com/wp-content/uploads/2022/03/Kryptowire-Identifies-Security_Large.png?quality=100&f=auto)

**March 15, 2022 – McLean, VA, United States –** Kryptowire Inc., a mobile security and privacy solutions company, today announced that they have identified a critical security and privacy vulnerability affecting mobile devices with UNISOC, China’s largest designer of chips for mobile phones. The vulnerability within the chipset, if exploited, allows malicious actors to take control over user data and device functionality.

Specifically, the vulnerability allows intruders to access call and system logs, text messages, contacts, and other private data, video record the device’s screen or use the external-facing camera to record video, or even take control of the device remotely, altering or wiping data. Adhering to its disclosure policy, Kryptowire notified affected device manufacturers and carriers, as well as UNISOC, of the vulnerability in December 2021.

“In an increasingly competitive mobile device market, it’s imperative that device manufacturers establish and maintain trust among carriers and end users,” Alex Lisle, Chief Technical Officer, Kryptowire. “Kryptowire’s core technology, which provides rapid, automatic vulnerability scanning without intrusion into end user data, helps stakeholders find and remediate critical security and privacy gaps faster and more efficiently, increasing confidence in the face of complex security challenges.”

Mobile device and operating system (iOS and Android) use has increased rapidly in the pandemic era, especially as more exchanges, transactions, and communications go “mobile-first.” This combined with the new found risks in the supply-chain has resulted in oversights and security flaws. Accordingly, businesses need AI enabled cloud-based mobile security solutions that not only safeguard mobile devices from bad actors, but also provide intrusion-free protection to its end users. In 2021 alone, Kryptowire scanned over 3 billion lines of code across 70,000 applications, discovering over 500 vulnerabilities affecting approximately 2 billion devices.

Founded in 2011, Kryptowire developed and launched its Mobile Application Security Testing (MAST) service, leveraging its military-grade proprietary analysis engine. This AI enabled cloud-based service gives organizations the ability to automatically scan mobile content for security, privacy, and compliance issues without accessing source code. This saves time, reduces human resource burdens, and preserves end user privacy.

**About Kryptowire**

Kryptowire is a leader in cloud-based mobile security and privacy solutions, delivering organizations and end-users the peace of mind that comes with intrusion-free mobile security. We enable organizations to scan mobile devices and applications for security, compliance, and other vulnerabilities without accessing source code, saving time and preserving privacy. Our mission is to make world-class mobile security available to more businesses and communities around the world.

Please visit www.kryptowire.com or connect with us on LinkedIn and Twitter (@kryptowire) for more information.

**Media Contact**  
media@kryptowire.com

CVE-2022-27250: Kryptowire Identifies Security and Privacy Vulnerability in Mobile Device Chipset from China

Product: AndroidVersions: Android kernelAndroid ID: A-173788806References: Upstream kernel

_Published March 7, 2022_

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices (Google devices). For Google devices, security patch levels of 2022-03-05 or later address all issues in this bulletin and all issues in the March 2022 Android Security Bulletin. To learn how to check a device's security patch level, see Check and update your Android version.

All supported Google devices will receive an update to the 2022-03-05 patch level. We encourage all customers to accept these updates to their devices.

**Announcements**

*   In addition to the security vulnerabilities described in the March 2022 Android Security Bulletin, Google devices also contain patches for the security vulnerabilities described below.

**Security patches**

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel components**

    

CVE

References

Type

Severity

Component

CVE-2021-43267

A-205243414  
Upstream kernel

RCE

Moderate

Kernel

CVE-2021-22600

A-213464034  
Upstream kernel

EoP

Moderate

Kernel

CVE-2021-37159

A-195082947  
Upstream kernel \[2\]

EoP

Moderate

Kernel

CVE-2021-39712

A-176918884\*

EoP

Moderate

Kernel

CVE-2021-39713

A-173788806  
Upstream kernel \[2\] \[3\] \[4\] \[5\]

EoP

Moderate

Kernel

CVE-2021-39714

A-205573273  
Upstream kernel

EoP

Moderate

Kernel

CVE-2021-41864

A-202511260  
Upstream kernel

EoP

Moderate

Kernel

CVE-2021-21781

A-197850306  
Upstream kernel

ID

Moderate

Kernel

CVE-2021-33624

A-192972537  
Upstream kernel

ID

Moderate

Kernel

CVE-2021-39711

A-154175781  
Upstream kernel

ID

Moderate

Kernel

CVE-2021-39715

A-178379135  
Upstream kernel

ID

Moderate

Kernel

CVE-2021-39792

A-161010552  
Upstream kernel

ID

Moderate

Kernel

CVE-2021-43975

A-207093880  
Upstream kernel

ID

Moderate

Kernel

**Pixel**

    

CVE

References

Type

Severity

Component

CVE-2021-39720

A-207433926\*

RCE

Critical

Modem

CVE-2021-39723

A-209014813\*

RCE

Critical

Modem

CVE-2021-39737

A-208229524\*

RCE

Critical

Modem

CVE-2021-25279

A-214310168\*

EoP

Critical

Modem

CVE-2021-25478

A-214309660\*

EoP

Critical

Modem

CVE-2021-25479

A-214309790\*

EoP

Critical

Modem

CVE-2021-39710

A-202160245\*

EoP

High

Telephony

CVE-2021-39734

A-208650395\*

EoP

High

Telephony

CVE-2021-39793

A-210470189\*

EoP

High

Display/Graphics

CVE-2021-39726

A-181782896\*

ID

High

Modem

CVE-2021-39727

A-196388042\*

ID

High

Titan M2

CVE-2021-39718

A-205035540\*

EoP

Moderate

Telephony

CVE-2021-39719

A-205995178\*

EoP

Moderate

Camera

CVE-2021-39721

A-195726151\*

EoP

Moderate

Camera

CVE-2021-39725

A-151454974\*

EoP

Moderate

Kernel

CVE-2021-39729

A-202006191\*

EoP

Moderate

TitanM

CVE-2021-39731

A-205036834\*

EoP

Moderate

Telephony

CVE-2021-39732

A-205992503\*

EoP

Moderate

Camera

CVE-2021-39733

A-206128522\*

EoP

Moderate

Audio

CVE-2021-39735

A-151455484\*

EoP

Moderate

Kernel

CVE-2021-39736

A-205995773\*

EoP

Moderate

Camera

CVE-2021-39716

A-206977562\*

ID

Moderate

Modem

CVE-2021-39717

A-198653629\*

ID

Moderate

Audio

CVE-2021-39722

A-204585345\*

ID

Moderate

Telephony

CVE-2021-39724

A-205753190\*

ID

Moderate

Camera

CVE-2021-39730

A-206472503\*

ID

Moderate

Bootloader

**Qualcomm components**

   

CVE

References

Severity

Component

CVE-2021-30299  

A-190406215  
QC-CR#2882860

Moderate

Audio

**Qualcomm closed-source components**

   

CVE

References

Severity

Component

CVE-2021-30331  

A-199194342\*

Moderate

Closed-source component

**Functional patches**

For details on the new bug fixes and functional patches included in this release, refer to the Pixel Community forum.

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2022-03-05 or later address all issues associated with the 2022-03-05 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**Versions**

  

Version

Date

Notes

1.0

March 7, 2022

Bulletin Released

1.1

March 9, 2022

Update a CVE ID

CVE-2021-39713: Pixel Update Bulletin—March 2022  |  Android Open Source Project

In NotificationStackScrollLayout of NotificationStackScrollLayout.java, there is a possible way to bypass Factory Reset Protections. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-193149550

_Published March 7, 2022 | Updated April 5, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-03-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-03-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-03-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Android runtime**

The vulnerability in this section could lead to local escalation of privilege with System execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39689

A-206090748

EoP

Moderate

12

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with User execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39692

A-209611539

EoP

High

10, 11, 12

CVE-2021-39693

A-208662370

EoP

High

12

CVE-2021-39695

A-209607944

EoP

High

11

CVE-2021-39697

A-200813547 \[2\]

EoP

High

11, 12

CVE-2021-39690

A-204316511

DoS

High

12

**Media Framework**

The vulnerability in this section could lead to remote information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39667

A-205702093

ID

High

10, 11, 12

**System**

The most severe vulnerability in this section could lead to remote escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39708

A-206128341

EoP

Critical

12

CVE-2021-0957

A-193149550

EoP

High

10, 11, 12

CVE-2021-39701

A-212286849

EoP

High

11, 12

CVE-2021-39702

A-205150380

EoP

High

12

CVE-2021-39703

A-207057578

EoP

High

12

CVE-2021-39704

A-209965481

EoP

High

10, 11, 12

CVE-2021-39706

A-200164168 \[2\]

EoP

High

10, 11, 12

CVE-2021-39707

A-200688991

EoP

High

10, 11, 12

CVE-2021-39709

A-208817618

EoP

High

12

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Media Codecs

CVE-2021-39667

**2022-03-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-03-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Framework**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39694

A-202312327

EoP

High

12

**Kernel components**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2020-29368

A-174738029  
Upstream kernel

EoP

High

Kernel Memory Management

CVE-2021-39685

A-210292376  
Upstream kernel \[2\] \[3\]

EoP

High

Linux

CVE-2021-39686

A-200688826  
Upstream kernel \[2\] \[3\] \[4\]

EoP

High

Binder

CVE-2021-39698

A-185125206  
Upstream kernel \[2\] \[3\] \[4\] \[5\]

EoP

High

Kernel

CVE-2021-3655

A-197154735  
Upstream kernel \[2\] \[3\] \[4\]

ID

High

SCTP

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-20047

A-213120685  
M-ALPS05917489\*

High

video decoder

CVE-2022-20048  

A-213116796  
M-ALPS05917502\*

High

video decoder

CVE-2022-20053

A-213120689  
M-ALPS06219097\*

High

ims service

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2021-35088

A-204905738  
QC-CR#3007473

High

WLAN

CVE-2021-35103  

A-209481110  
QC-CR#3033509

High

WLAN

CVE-2021-35105  

A-209469958  
QC-CR#3034743 \[2\]

High

Display

CVE-2021-35106  

A-209481028  
QC-CR#3035196 \[2\]

High

WLAN

CVE-2021-35117  

A-209481202  
QC-CR#3028360

High

WLAN

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2021-1942  

A-199191104\*

Critical

Closed-source component

CVE-2021-35110

A-209469768\*

Critical

Closed-source component

CVE-2021-1950  

A-199191539\*

High

Closed-source component

CVE-2021-30328

A-199191341\*

High

Closed-source component

CVE-2021-30329  

A-199191831\*

High

Closed-source component

CVE-2021-30332  

A-199190643\*

High

Closed-source component

CVE-2021-30333

A-199191889\*

High

Closed-source component

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Permission Controller

CVE-2021-39694

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-03-01 or later address all issues associated with the 2022-03-01 security patch level.
*   Security patch levels of 2022-03-05 or later address all issues associated with the 2022-03-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-03-01\]
*   \[ro.build.version.security\_patch\]:\[2022-03-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-03-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-03-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-03-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

March 7, 2022

Bulletin Released

1.1

March 8, 2022

Bulletin revised to include AOSP links

1.2

April 5, 2022

Revised CVE table

CVE-2021-0957: Android Security Bulletin—March 2022

_Published March 7, 2022 | Updated March 8, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-03-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-03-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-03-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Android runtime**

The vulnerability in this section could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39689

A-206090748

EoP

Moderate

12

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39692

A-209611539

EoP

High

10, 11, 12

CVE-2021-39693

A-208662370

EoP

High

12

CVE-2021-39695

A-209607944

EoP

High

11

CVE-2021-39697

A-200813547 \[2\]

EoP

High

11, 12

CVE-2021-39624

A-67862680 \[2\]

DoS

High

10, 11, 12

CVE-2021-39690

A-204316511

DoS

High

12

**Media Framework**

The vulnerability in this section could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39667

A-205702093

ID

High

10, 11, 12

**System**

The most severe vulnerability in this section could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39708

A-206128341

EoP

Critical

12

CVE-2021-0957

A-193149550

EoP

High

10, 11, 12

CVE-2021-39701

A-212286849

EoP

High

11, 12

CVE-2021-39702

A-205150380

EoP

High

12

CVE-2021-39703

A-207057578

EoP

High

12

CVE-2021-39704

A-209965481

EoP

High

10, 11, 12

CVE-2021-39706

A-200164168 \[2\]

EoP

High

10, 11, 12

CVE-2021-39707

A-200688991

EoP

High

10, 11, 12

CVE-2021-39709

A-208817618

EoP

High

12

CVE-2021-39705

A-186026746 \[2\] \[3\]

ID

High

10, 11, 12

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Media Codecs

CVE-2021-39667

**2022-03-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-03-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Framework**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39694

A-202312327

EoP

High

12

**Kernel components**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Component

CVE-2020-29368

A-174738029  
Upstream kernel

EoP

High

Kernel Memory Management

CVE-2021-39685

A-210292376  
Upstream kernel \[2\] \[3\]

EoP

High

Linux

CVE-2021-39686

A-200688826  
Upstream kernel \[2\] \[3\] \[4\]

EoP

High

Binder

CVE-2021-39698

A-185125206  
Upstream kernel \[2\] \[3\] \[4\] \[5\]

EoP

High

Kernel

CVE-2021-3655

A-197154735  
Upstream kernel \[2\] \[3\] \[4\]

ID

High

SCTP

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-20047

A-213120685  
M-ALPS05917489\*

High

video decoder

CVE-2022-20048  

A-213116796  
M-ALPS05917502\*

High

video decoder

CVE-2022-20053

A-213120689  
M-ALPS06219097\*

High

ims service

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2021-35088

A-204905738  
QC-CR#3007473

High

WLAN

CVE-2021-35103  

A-209481110  
QC-CR#3033509

High

WLAN

CVE-2021-35105  

A-209469958  
QC-CR#3034743 \[2\]

High

Display

CVE-2021-35106  

A-209481028  
QC-CR#3035196 \[2\]

High

WLAN

CVE-2021-35117  

A-209481202  
QC-CR#3028360

High

WLAN

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2021-1942  

A-199191104\*

Critical

Closed-source component

CVE-2021-35110

A-209469768\*

Critical

Closed-source component

CVE-2021-1950  

A-199191539\*

High

Closed-source component

CVE-2021-30328

A-199191341\*

High

Closed-source component

CVE-2021-30329  

A-199191831\*

High

Closed-source component

CVE-2021-30332  

A-199190643\*

High

Closed-source component

CVE-2021-30333

A-199191889\*

High

Closed-source component

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Permission Controller

CVE-2021-39694

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-03-01 or later address all issues associated with the 2022-03-01 security patch level.
*   Security patch levels of 2022-03-05 or later address all issues associated with the 2022-03-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-03-01\]
*   \[ro.build.version.security\_patch\]:\[2022-03-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-03-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-03-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-03-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

March 7, 2022

Bulletin Released

1.1

March 8, 2022

Bulletin revised to include AOSP links

Tag

#android