Product: AndroidVersions: Android kernelAndroid ID: A-209014813References: N/A

_Published March 7, 2022_

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices (Google devices). For Google devices, security patch levels of 2022-03-05 or later address all issues in this bulletin and all issues in the March 2022 Android Security Bulletin. To learn how to check a device's security patch level, see Check and update your Android version.

All supported Google devices will receive an update to the 2022-03-05 patch level. We encourage all customers to accept these updates to their devices.

**Announcements**

*   In addition to the security vulnerabilities described in the March 2022 Android Security Bulletin, Google devices also contain patches for the security vulnerabilities described below.

**Security patches**

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel components**

    

CVE

References

Type

Severity

Component

CVE-2021-43267

A-205243414  
Upstream kernel

RCE

Moderate

Kernel

CVE-2021-22600

A-213464034  
Upstream kernel

EoP

Moderate

Kernel

CVE-2021-37159

A-195082947  
Upstream kernel \[2\]

EoP

Moderate

Kernel

CVE-2021-39712

A-176918884\*

EoP

Moderate

Kernel

CVE-2021-39713

A-173788806  
Upstream kernel \[2\] \[3\] \[4\] \[5\]

EoP

Moderate

Kernel

CVE-2021-39714

A-205573273  
Upstream kernel

EoP

Moderate

Kernel

CVE-2021-41864

A-202511260  
Upstream kernel

EoP

Moderate

Kernel

CVE-2021-21781

A-197850306  
Upstream kernel

ID

Moderate

Kernel

CVE-2021-33624

A-192972537  
Upstream kernel

ID

Moderate

Kernel

CVE-2021-39711

A-154175781  
Upstream kernel

ID

Moderate

Kernel

CVE-2021-39715

A-178379135  
Upstream kernel

ID

Moderate

Kernel

CVE-2021-39792

A-161010552  
Upstream kernel

ID

Moderate

Kernel

CVE-2021-43975

A-207093880  
Upstream kernel

ID

Moderate

Kernel

**Pixel**

    

CVE

References

Type

Severity

Component

CVE-2021-39720

A-207433926\*

RCE

Critical

Modem

CVE-2021-39723

A-209014813\*

RCE

Critical

Modem

CVE-2021-39737

A-208229524\*

RCE

Critical

Modem

CVE-2021-25279

A-214310168\*

EoP

Critical

Modem

CVE-2021-25478

A-214309660\*

EoP

Critical

Modem

CVE-2021-25479

A-214309790\*

EoP

Critical

Modem

CVE-2021-39710

A-202160245\*

EoP

High

Telephony

CVE-2021-39734

A-208650395\*

EoP

High

Telephony

CVE-2021-39793

A-210470189\*

EoP

High

Display/Graphics

CVE-2021-39726

A-181782896\*

ID

High

Modem

CVE-2021-39727

A-196388042\*

ID

High

Titan M2

CVE-2021-39718

A-205035540\*

EoP

Moderate

Telephony

CVE-2021-39719

A-205995178\*

EoP

Moderate

Camera

CVE-2021-39721

A-195726151\*

EoP

Moderate

Camera

CVE-2021-39725

A-151454974\*

EoP

Moderate

Kernel

CVE-2021-39729

A-202006191\*

EoP

Moderate

TitanM

CVE-2021-39731

A-205036834\*

EoP

Moderate

Telephony

CVE-2021-39732

A-205992503\*

EoP

Moderate

Camera

CVE-2021-39733

A-206128522\*

EoP

Moderate

Audio

CVE-2021-39735

A-151455484\*

EoP

Moderate

Kernel

CVE-2021-39736

A-205995773\*

EoP

Moderate

Camera

CVE-2021-39716

A-206977562\*

ID

Moderate

Modem

CVE-2021-39717

A-198653629\*

ID

Moderate

Audio

CVE-2021-39722

A-204585345\*

ID

Moderate

Telephony

CVE-2021-39724

A-205753190\*

ID

Moderate

Camera

CVE-2021-39730

A-206472503\*

ID

Moderate

Bootloader

**Qualcomm components**

   

CVE

References

Severity

Component

CVE-2021-30299  

A-190406215  
QC-CR#2882860

Moderate

Audio

**Qualcomm closed-source components**

   

CVE

References

Severity

Component

CVE-2021-30331  

A-199194342\*

Moderate

Closed-source component

**Functional patches**

For details on the new bug fixes and functional patches included in this release, refer to the Pixel Community forum.

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2022-03-05 or later address all issues associated with the 2022-03-05 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**Versions**

  

Version

Date

Notes

1.0

March 7, 2022

Bulletin Released

1.1

March 9, 2022

Update a CVE ID

CVE-2021-39723: Pixel Update Bulletin—March 2022  |  Android Open Source Project

Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.

**Sorry, your browser is not supported. We recommend upgrading your browser. We have done our best to make all the documentation and resources available on old versions of Internet Explorer, but vector image support and the layout may not be optimal. Technical documentation is available as a PDF Download.**

**Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism****Updated on 08/March/2022**

For details on the newly announced Spectre-BHB attack, consult the Spectre-BHB page.

In 2018, Google disclosed research findings identifying security vulnerabilities. Those vulnerabilities were based on cache timing side-channels exploiting processor speculation.  These web pages contain the latest information on those attacks, including a list of affected Arm processors, and their potential mitigations. This page will be periodically updated when new attacks are disclosed, or new information about the processors or software mitigations is made public. 

Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding. However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed. This is the issue addressed here and in the Cache Speculation Side-channels white paper.

It is important to note that these methods are generally dependent on malware running locally. Practicing good security hygiene by keeping software up-to-date, and avoiding suspicious links or downloads, is imperative for users.

The majority of Arm processors are **not impacted** by any variation of this side-channel speculation mechanism. A definitive list of the subset of Arm-designed processors that are susceptible can be found below.

![](https://developer.arm.com/-/media/Arm%20Developer%20Community/Images/Utility/Arm-Whitepaper-Thumbnail.png?revision=955ee1db-6a44-438c-93bd-2305b6040d3a&hash=5889E09C89280317CF6D0126B1FD812C2C09A85C&hash=5889E09C89280317CF6D0126B1FD812C2C09A85C)

Cache Speculation Side-channels white paper

Download

**What are the attack mechanisms?**

There are four main variants of the exploits, as detailed by Google in their blogpost, that explain in detail the mechanisms:

*   Variant 1: bounds check bypass store (CVE-2017-5753) and bounds check bypass store (CVE-2018-3693)
*   Variant 2: branch target injection (CVE-2017-5715)
*   Variant 3: using speculative reads of inaccessible data (CVE-2017-5754)
*   Subvariant 3a: using speculative reads of inaccessible data (CVE-2018-3640)
*   Variant 4: speculative bypassing of stores by younger loads despite the presence of a dependency (CVE-2018-3639)
*   Straight-line speculation: speculatively executing the instructions linearly in memory following an unconditional change in control flow (CVE-2020-13844). For more information on this attack mechanism and potential mitigations, see the FAQ and this white paper.
*   Spectre-BHB: branch target injection in the same software context (unlike Spectre v2, which injects branch targets across different exception levels) (CVE-2022-23960). For more information on this attack mechanism and potential mitigations, please see the information found on the Spectre-BHB page. 

In addition, Arm has included information on a related variant to 3, noted as 3a, in the table below.

Follow the steps below to determine if there is any vulnerability for your devices and, if vulnerable, then the mitigation mechanisms.

**Step 1**

Check the table below to determine if you have an affected processor.

*   Only affected cores are listed
*   ****Other Arm cores that are NOT listed are NOT affected****
*   **No** indicates the core affected by the particular variant for that version of the core, and the software mitigation should be applied
*   **Yes** indicates affected by the particular variant but has a mitigation (unless otherwise stated)
*   Cortex-R cores typically use a closed software stack. In those environments,  applications or processes are strictly controlled, and therefore not exploitable

Processor

Revision

Variant 1

Variant 2

Variant 3

Variant3a

Variant 4

Spectre-BHB

Cortex-R7

All

Yes

Yes

No

No

No

Yes

Cortex-R8

All

Yes

Yes

No

No

No

Yes

Cortex-A8

All

Yes

Yes

No

No

No

No

Cortex-A9

All

Yes

Yes

No

No

No

No

Cortex-A12

All

Yes

Yes

No

No

No

No

Cortex-A15

All

Yes

Yes

No

Yes

No

No

Cortex-A17

All

Yes

Yes

No

No

No

No

Cortex-A57

All

Yes

Yes

No

Yes

Yes

Yes

Cortex-A65

All

Yes

No

No

No

No

Yes

Cortex-A65AE

All

Yes

No

No

No

No

Yes

Cortex-A72

Prior to r1p0

Yes

Yes

No

Yes

Yes

Yes

Cortex-A72\*  

r1p0 and after

Yes

No

No

No

Yes

Yes

Cortex-A73

Prior to r1p0

 Yes

Yes

No

No

Yes

Yes

Cortex-A73\*

r1p0 and after

Yes

No

No

No

Yes

Yes

Cortex-A75

Prior to r3p0  

Yes

Yes

Yes

Yes

Yes

Yes

Cortex-A75\*

r3p0 and after  

Yes

No

No

N

Yes

Yes

Cortex-A76

Prior to r3p0  

Yes

Yes

No

No

Yes

Yes

Cortex-A76\*

r3p0 and after

Yes

No

No

No

No

Yes

Cortex-A77

Prior to r1p1  

Yes

Yes

No

No

Yes

Yes

Cortex-A77\*

Prior to r1p1  

Yes

No

No

No

No

Yes

Cortex-A78\*

All

Yes

No

No

No

No

Yes

Cortex-A78C\*

All

Yes

No

No

No

No

No

Cortex-A78AE\*

All

Yes

No

No

No

No

Yes

Cortex-A710\*

All

Yes

No

No

No

No

Yes

Neoverse-E1

All

Yes

No

No

No

No

Yes

Neoverse-N1

Prior to r3p0

Yes

Yes

No

No

Yes

Yes

Neoverse-N1\*

r3p0 and after  

Yes

No

No

No

No

Yes

Neoverse-V1\*

All

Yes

No

No

No

No

Yes

Neoverse-N2\*

All

Yes

No

No

No

No

Yes

Cortex-X1\*

All

Yes

No

No

No

No

Yes

Cortex-X2\*

All

Yes

No

No

No

No

Yes

**\* Note:** For Armv8.5-A and Armv9 hardware mitigations added to the indicated Arm CPUs, view the Armv8.5-A/Armv9 Updates document.

**Step 2**

*   If you are running Linux, please follow the directions below according to the variant identified in the table.
*   If you are running Android, please check with Google for the detail of supported kernel versions.
*   If you are running another OS, please contact the OS vendor for details and refer to **For non-Linux operating system** below.
*   For JIT development, please check with the run-time vendor for details.

  
**For Linux**

**Variant 1**

Where vulnerable code sequences (described in the Cache Speculation Side-channels white paper) have been identified, the action required is:

*   Impacted kernel/driver code should be reworked to use the new cross-architectural ‘nospec’ accessors. These accessors implement suitable Arm ‘CSDB’ sequences and ensure the compiler generates speculation safe code sequences for bounds checks.
*   Userspace code implementing software privilege boundaries should be reworked, using the approach discussed in Compiler support for mitigations.

**Variant 2**

The mitigation will vary by processor micro-architecture:

For Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75 that have not been updated, please apply kernel patches and Trusted Firmware-A patches provided by Arm.

For Cortex-A8, Cortex-A9, Cortex-A12, Cortex-A15, and Cortex-A17 please apply the kernel patches provided by Arm.

View the available Kernel patches and Trusted Firmware-A patches.

**Variant 3**

For Cortex-A75:

*   Ensure your kernel implements Kernel Page Table Isolation (KPTI), referring to the patches in the branch above. This variant impacts software executing at EL1/EL0 which share a translation regime. KPTI is used to unmap the kernel from a process address space when that process is running. 

**Variant 3a**

For Cortex-A15, Cortex-A57, and Cortex-A72:

*   In general, it is not believed that software mitigations for this issue are necessary. However, an update for the latest release of the Cortex-A72 does include a hardware mitigation for this issue. Please download the Cache Speculation Side-channels white paper for more details.

**Variant 4**

For Cortex-A76 and Neoverse N1:

Mitigation is based on dynamically disabling memory disambiguation via an implementation-defined control register. Implementing this functionality involves updates to Trusted Firmware. Linux patches were merged in the 4.18 release of the Linux kernel and backported to the 4.14 and 4.9 stable kernels.

Release versions of Neoverse N1, as well as updated versions of the Cortex-A76, have made the control feature architecturally defined, as well as added additional barrier operations to help software mitigate this issue. Support for the architectural mitigations was added to Linux in the 4.20 release.

For Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75:

Mitigation is based on disabling a hardware feature (memory disambiguation) at boot via an implementation-defined control register.

View the Trusted Firmware-A Advisory.

**For non-Linux operating systems**

**Variant 2**

The mitigation will vary by processor micro-architecture:

For Cortex-A9, Cortex-A12, Cortex-A17, Cortex-R7, and Cortex-R8, invalidate the branch predictor using a BPIALL instruction. See below for mitigation of remaining affected cores.

For Cortex-A8:

*   Invalidate the branch predictor using a BPIALL instruction.
*   Set ACTRL\[6\] to 1 during early processor initialization.

For Cortex-A15:

*   Set ACTLR\[0\]==1 from early initialization of the processor.
*   Invalidate the branch predictor by performing an ICIALLU instruction.

For Cortex-A57 and Cortex-A72:

*   Do one of the following:
    *   Disable the current stage 1 MMU, execute an ISB, re-enable the MMU and execute an ISB. This must be done in an area of memory where the VA and the IPA (or PA if there is only one stage of translation) are the same.
    *   Do an ERET from EL3 where SCTLR\_EL3.M==1 to S-EL1 where SCTLR\_EL1.M=0 followed by an SMC back to EL3.

For Cortex-A73:

*   In AArch32: Invalidate the branch predictor using a BPIALL instruction.
*   In AArch64: Switch into AArch32, then perform a BPIALL - this can be done by calling Secure EL1 code, which is typically using AArch32, to do the BPIALL.

For Cortex-A75:

*   In AArch32: Invalidate the branch predictor using a BPIALL instruction.
*   In AArch64: Switch into AArch32, then perform a BPIALL - this can be done by calling Secure EL1 code, which is typically using AArch32, to do the BPIALL.

**Variant 4**

The mitigation varies by processor micro-architecture. Memory disambiguation should be disabled at boot by setting the relevant control register bit:

For Cortex-A57 and Cortex-A72:

*   Set bit 55 (disable load pass store) of CPUACTLR\_EL1 (S3\_1\_C15\_C2\_0).

For Cortex-A73:

*   Set bit 3 of S3\_0\_C15\_C0\_0.

For Cortex-A75:

*   Set bit 35 of CPUACTLR\_EL1 (S3\_0\_C15\_C1\_0)

For Cortex-A76:

*   Set bit 16 of CPUACTLR2\_EL1 (S3\_0\_C15\_C1\_1)

Please consult the latest version of the white paper for additional mitigations.

**What about future Arm Cortex processors?**

All future Arm Neoverse and Cortex processors provided to our licensees will be resilient to this style of attack, or will be mitigated by enhancements made to the Kernel and firmware. For details on updates to affected CPUs, as well as descriptions of mitigations added to Armv8.5-A, view the Armv8.5-A CPU Updates document.

Arm recommends that users deploy the software mitigations described in the Cache Speculation Side-channels white paper, and in the Spectre-BHB white paper, where protection against malicious applications is required.  Arm's Security Response Team will continue to research any potential mitigations, and work closely with our customers and partners.  Please refer to the FAQ for additional information.

CVE-2022-23960: Speculative Processor Vulnerability – Arm Developer

An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

CVE-2022-26966

An issue was discovered in Luna Simo PPR1.180610.011/202001031830. A pre-installed app with a package name of com.skyroam.silverhelper writes three IMEI values to system properties at system startup. The system property values can be obtained via getprop by all third-party applications co-located on the device, even those with no permissions granted, exposing the IMEI values to processes without enforcing any access control.

**Hack Menu**

![@Hack](https://files.athack.com/files/2020-12/menu-desktop-LOGO.png?VersionId=7NMeCGiIm_vdS5YEEH7WEZTszMWmLbIE)

field is required.

![@Hack](https://files.athack.com/files/2020-12/menu-desktop-LOGO.png?VersionId=7NMeCGiIm_vdS5YEEH7WEZTszMWmLbIE)

First Column

Overview

About @Hack

Saudi Federation

Black Hat

Supporters

Planning & Preparation

Code of Conduct

Conferences,  
Sessions & Talks

Speakers

Executive Summit

Networking

@Hack Arsenal

Briefings

Second Column

Agenda

2021 Exhibitor Directory

Trainings

Onsite Trainings

Online Trainings

Offensive Security

Business Hall

Third Column

Media Centre

@Hack Movement

KSA Chapter

UAE Chapter

Capture the Flag

Fourth Column

Register Your Interest

Subscribe

![](https://files.athack.com/files/upper-right-logo%402x_0.png?VersionId=j3LsePdwqOHJCnPnU0LiMYKjEB7UCtCk)

1.  Home
2.  Agenda
3.  Agenda

.

I am Root: Security Analysis of Simo’s vSIM Android Software

Track

Briefings

Topic / Sector

![](https://athack.com/themes/custom/hack_theme/images/home-page/ico-time.svg) 25 mins ![](https://athack.com/themes/custom/hack_theme/images/home-page/ico-place.svg) Briefings Room 3

CVE-2021-41850: @Hack | Infosec on the Edge | 28

In video decoder, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05917489; Issue ID: ALPS05917489.

**March 2022 Product Security Bulletin**

Published 2022-03-07

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and TV chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2022-20047, CVE-2022-20048, CVE-2022-20053

Medium

CVE-2022-20049, CVE-2022-20050, CVE-2022-20051, CVE-2022-20054, CVE-2022-20055, CVE-2022-20056, CVE-2022-20057, CVE-2022-20058, CVE-2022-20059, CVE-2022-20060

****Details****

CVE

**CVE-2022-20047**

Title

Out-of-bounds write in video decoder

Severity

High

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In video decoder, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT5816, MT5835, MT6885, MT6893, MT9900, MT9901, MT9950, MT9969, MT9970, MT9980

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20048**

Title

Out-of-bounds write in video decoder

Severity

High

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In video decoder, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT5816, MT5835, MT6885, MT6893, MT9900, MT9901, MT9950, MT9969, MT9970, MT9980

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20053**

Title

Missing authorization in ims service

Severity

High

Vulnerability Type

EoP

CWE

CWE-862 Missing Authorization

Description

In ims service, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8167, MT8168, MT8173, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 9.0, 10.0, 11.0, 12.0

CVE

**CVE-2022-20049**

Title

Improper access control in vpu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-284 Improper Access Control

Description

In vpu, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6779, MT6785, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8788

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2022-20050**

Title

Unix symbolic link (symlink) following in connsyslogger

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-61 UNIX Symbolic Link (Symlink) Following

Description

In connsyslogger, there is a possible symbolic link following due to improper link resolution. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6762, MT6765, MT6768, MT6769, MT6779, MT6781, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6891, MT6893, MT8163, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8696, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20051**

Title

Incorrect privilege assignment in ims service

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-266 Incorrect Privilege Assignment

Description

In ims service, there is a possible unexpected application behavior due to incorrect privilege assignment. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8167, MT8168, MT8173, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20054**

Title

Missing authorization in ims service

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-862 Missing Authorization

Description

In ims service, there is a possible AT command injection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6739, MT6750, MT6761, MT6762, MT6763, MT6765, MT6768, MT6771, MT6779, MT8167, MT8168, MT8173, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 9.0, 10.0, 11.0, 12.0

CVE

**CVE-2022-20055**

Title

Out-of-bounds write in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In preloader (usb), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6893, MT8183, MT8185, MT8321, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20056**

Title

Out-of-bounds write in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In preloader (usb), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6893, MT8183, MT8185, MT8321, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20057**

Title

Detection of error condition without action in btif

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-390 Detection of Error Condition Without Action

Description

In btif, there is a possible memory corruption due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6739, MT6758, MT6761, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6883, MT6893, MT8163, MT8167, MT8168, MT8173, MT8362A, MT8365

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20058**

Title

Out-of-bounds write in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In preloader (usb), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6893, MT8183, MT8185, MT8321, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20059**

Title

Out-of-bounds write in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In preloader (usb), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6885, MT6889, MT6893, MT8183, MT8185, MT8321, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20060**

Title

Security flow issues in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-1196 Security Flow Issues

Description

In preloader (usb), there is a possible permission bypass due to a missing proper image authentication. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6875, MT6877, MT6885, MT6889, MT6893, MT8183, MT8185, MT8321, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

March 7, 2022

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2022-20047: March 2022

There is an incorrect buffer size calculation vulnerability in the video framework.Successful exploitation of this vulnerability may affect availability.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the February 2022 Android security bulletin:

Critical: none

High: CVE-2020-13112, CVE-2020-13113, CVE-2021-39619, CVE-2021-39663, CVE-2021-39666, CVE-2021-39669, CVE-2021-39674, CVE-2021-39676, CVE-2021-39631, CVE-2021-35068, CVE-2021-35074, CVE-2021-35075, CVE-2021-35077, CVE-2021-35069

Medium: CVE-2021-30324, CVE-2021-30325

Low: none

Already included in previous updates: CVE-2021-39626, CVE-2021-39633, CVE-2021-39634, CVE-2021-0775, CVE-2021-1027, CVE-2021-1028, CVE-2021-1029, CVE-2021-0759, CVE-2021-0852

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40054: Integer underflow vulnerability in the atcmdserver module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40047: Vulnerability of memory not being released after effective lifetime in the Bastet module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40053: Permission control vulnerability in the Nearby module

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability will affect availability and integrity.

CVE-2021-40052: Incorrect buffer size calculation vulnerability in the video framework

Severity: High

Affected versions: EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40051: Unauthorized access vulnerability in system components

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-40050: Out-of-bounds read vulnerability in the IFAA module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause stack overflow.

CVE-2021-40049: Permission control vulnerability in the PMS module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability can lead to sensitive system information being obtained without authorization.

CVE-2021-40048: Incorrect buffer size calculation vulnerability in the video framework

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2021-40062: Vulnerability of copying input buffer without checking its size in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40055: Man-in-the-middle attack vulnerability during system update download in recovery mode

Severity: Critical

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40061: Vulnerability of accessing resources using an incompatible type (type confusion) in the Bastet module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40060: Heap-based buffer overflow vulnerability in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40059: Permission control vulnerability in the Wi-Fi module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2021-40058: Heap-based buffer overflow vulnerability in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40057: Heap-based and stack-based buffer overflow vulnerabilities in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40056: Vulnerability of copying input buffer without checking its size in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40063: Improper access control vulnerability in the video module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2021-40064: Heap-based buffer overflow vulnerability in system components

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect system stability.

CVE-2021-40011: Uncontrolled resource consumption vulnerability in the display module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40052: March

There is a vulnerability of copying input buffer without checking its size in the video framework. Successful exploitation of this vulnerability may affect availability.

CVE-2021-40056: March

Nextcloud talk is a self hosting messaging service. In versions prior 12.1.2 an attacker is able to control the link of a geolocation preview in the Nextcloud Talk application due to a lack of validation on the link. This could result in an open-redirect, but required user interaction. This only affected users of the Android Talk client. It is recommended that the Nextcloud Talk App is upgraded to 12.1.2. There are no known workarounds.


**Impact**

An attacker is able to control the link of a geolocation preview in the Nextcloud Talk application. This could result in an open-redirect, but required user interaction. This only affected users of the Android Talk client.

**Patches**

It is recommended that the Nextcloud Talk App is upgraded to 12.1.2.

**Workarounds**

None.

**References**

*   HackerOne
*   Pull Request

**For more information**

If you have any questions or comments about this advisory:

*   Create a post in nextcloud/security-advisories
*   Customers: Open a support ticket at support.nextcloud.com

CVE-2021-41180: Build software better, together

Nextcloud talk is a self hosting messaging service. In versions prior to 12.3.0 the Nextcloud Android Talk application did not properly detect the lockscreen state when a call was incoming. If an attacker got physical access to the locked phone, and the victim received a phone call the attacker could gain access to the chat messages and files  of the user. It is recommended that the Nextcloud Android Talk App is upgraded to 12.3.0. There are no known workarounds.


**Impact**

The Nextcloud Android Talk application did not properly detect the lockscreen state when a call was incoming. If an attacker got physical access to the locked phone, and the victim received a phone call the attacker could gain access to the chat messages and files of the user.

**Patches**

It is recommended that the Nextcloud Android Talk App is upgraded to 12.3.0.

**Workarounds**

None.

**References**

*   HackerOne
*   Pull Request

**For more information**

If you have any questions or comments about this advisory:

*   Create a post in nextcloud/security-advisories
*   Customers: Open a support ticket at support.nextcloud.com

Tag

#android