{"id":"ASB-A-213850092","details":"In various functions of C2DmaBufAllocator.cpp, there is a possible memory corruption due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-213850092","CVE-2022-20228"],"modified":"2026-05-25T16:46:24.913870386Z","published":"2022-07-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-07-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/av/+/a12f8a065c081b7aa2d7aaa1df79498c282c53d2"}],"affected":[{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-07-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","signature_version":"v1","id":"ASB-A-213850092-15618e38","source":"https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3","target":{"file":"media/codec2/vndk/C2AllocatorIon.cpp"},"deprecated":false,"digest":{"line_hashes":["192227934232514726557426748198738623410","317255628712816926328077450866894228452","311631332125272066488853762979160572930","200969091410336481141966200584404115575","51559047303558521212122549833089270220","74221046007737194667233700832096575063","228252480631705538231742767406619682407","22492156979977295798095182627872838035","231399710022428264346164184280306177067","211655241687773405580550050359533509495","194651649701829123340808045550149298755","88287981816864687367563400153199024117","21133483344499622561215568506296204047","44914622061145209070180209937845868801","194300837437827142635570084323525444759","21270117293079764063673154557878170952","235620155372164143951842304285161307163","310040829824071364552459800808268420305","320746817924010270769999961346433377402","181590233791588607348333510668637482539","37077830568388809013384498335522893334","287683952838851208945788423954754367332","314318985694173977636984479840306674552","123801798367134975462997417348237060122","314686063585001825113132334808958923677","195903363165327730377140988313203592017","316461725082244718898528055752115183257","66275611729325449737339854251446508253","274283264904369067223163265774635421682","154925317047249732204408814864411678525","93064771771212267697144890968037783838","54456604817051958429238255474257769216","4415980063983488735625236013337988711","121665763636476463751885739650815948483","39325296754708017965824161051703363402","239240393691106160585830857877140432688","239670772907459229346688508752068172892","332859814753134252708024752127214576688","90661642236740509347713288329185464032","134868697679941322428296847329038362219","59162336919209653723894857708251608234","295312956171829762994738736568944178687","268734471588714994898013031994459612349","103233899701424350933302057997214161275","242604353954162070547450642583046068316","59287285465733016241748955774357058775","141394885991717466741112758253931869448","27028203555431716372373482172836092522","332407439834065522916652423857843263185","18370254986684097256761458897809386866","324916189533104502194359447110009875807","119736582797376422820720639432704534758","10138077624400305967329662390503689073","168087749518512853078711943852155356037","34445881603422342436620705275987892025"],"threshold":0.9}},{"signature_type":"Function","digest":{"length":784,"function_hash":"167525502730782928918426667957436792503"},"id":"ASB-A-213850092-3de18407","source":"https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3","target":{"function":"C2DmaBufAllocation::unmap","file":"media/codec2/vndk/C2DmaBufAllocator.cpp"},"deprecated":false,"signature_version":"v1"},{"signature_type":"Function","digest":{"length":308,"function_hash":"84751803150063703769184018163581837046"},"id":"ASB-A-213850092-ae3bd88b","source":"https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3","target":{"function":"C2DmaBufAllocation::~C2DmaBufAllocation","file":"media/codec2/vndk/C2DmaBufAllocator.cpp"},"deprecated":false,"signature_version":"v1"},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-213850092-b4f4e2cc","source":"https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3","target":{"function":"C2DmaBufAllocation::map","file":"media/codec2/vndk/C2DmaBufAllocator.cpp"},"deprecated":false,"digest":{"length":718,"function_hash":"81310799912256614906691639230053021652"}},{"signature_type":"Line","digest":{"line_hashes":["189398025276921510662259629929679625504","190124384050380137500313740546362094636","318442528087732575042734206245950164334","200969091410336481141966200584404115575","324916189533104502194359447110009875807","138764542055880364928204930256352419840","146103464064372951264048699517613775573","6270207401994686947099272090192686013","30164083190354049957389761680047008013","74221046007737194667233700832096575063","228252480631705538231742767406619682407","22492156979977295798095182627872838035","31133979089634078623668486667043461080","60589161606239541530292977430291225801","79833116189996246325763992945216508705","21133483344499622561215568506296204047","268245298036413543952179369188266135625","88782410469043552503251570297246250434","268910806458056956348636141379258945740","53357948951561565206560574069236934778","310040829824071364552459800808268420305","122504346484478287434413399803169473137","282596664588746285551602688336961958615","304059659473115756915233644411737299832","123801798367134975462997417348237060122","121665763636476463751885739650815948483","63908884897072704198123042693509587337","19985124781375086165144574996702862129","136847701873993135194624429221300571733","290727991407667733996424948630674831692","268767516241136795539513431389130295542","122684162537915230232268244634080548700","232241272674342874416045558473089824839","333103102776945917657126086317281240904","312083599223791841006018271297194341200"],"threshold":0.9},"id":"ASB-A-213850092-dd690a7b","source":"https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3","target":{"file":"media/codec2/vndk/C2DmaBufAllocator.cpp"},"deprecated":false,"signature_version":"v1"}],"severity":"High","spl":"2022-07-01","fixes":["https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3"],"types":["ID"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-213850092.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-07-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","digest":{"line_hashes":["192227934232514726557426748198738623410","317255628712816926328077450866894228452","311631332125272066488853762979160572930","200969091410336481141966200584404115575","51559047303558521212122549833089270220","74221046007737194667233700832096575063","228252480631705538231742767406619682407","22492156979977295798095182627872838035","231399710022428264346164184280306177067","211655241687773405580550050359533509495","194651649701829123340808045550149298755","88287981816864687367563400153199024117","21133483344499622561215568506296204047","44914622061145209070180209937845868801","194300837437827142635570084323525444759","21270117293079764063673154557878170952","235620155372164143951842304285161307163","310040829824071364552459800808268420305","320746817924010270769999961346433377402","181590233791588607348333510668637482539","37077830568388809013384498335522893334","287683952838851208945788423954754367332","314318985694173977636984479840306674552","123801798367134975462997417348237060122","314686063585001825113132334808958923677","195903363165327730377140988313203592017","316461725082244718898528055752115183257","66275611729325449737339854251446508253","274283264904369067223163265774635421682","154925317047249732204408814864411678525","93064771771212267697144890968037783838","54456604817051958429238255474257769216","4415980063983488735625236013337988711","121665763636476463751885739650815948483","39325296754708017965824161051703363402","239240393691106160585830857877140432688","239670772907459229346688508752068172892","332859814753134252708024752127214576688","90661642236740509347713288329185464032","134868697679941322428296847329038362219","59162336919209653723894857708251608234","295312956171829762994738736568944178687","268734471588714994898013031994459612349","103233899701424350933302057997214161275","242604353954162070547450642583046068316","59287285465733016241748955774357058775","141394885991717466741112758253931869448","27028203555431716372373482172836092522","332407439834065522916652423857843263185","18370254986684097256761458897809386866","324916189533104502194359447110009875807","119736582797376422820720639432704534758","10138077624400305967329662390503689073","168087749518512853078711943852155356037","34445881603422342436620705275987892025"],"threshold":0.9},"id":"ASB-A-213850092-00e274be","source":"https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3","target":{"file":"media/codec2/vndk/C2AllocatorIon.cpp"},"deprecated":false,"signature_version":"v1"},{"signature_type":"Line","digest":{"line_hashes":["189398025276921510662259629929679625504","190124384050380137500313740546362094636","318442528087732575042734206245950164334","200969091410336481141966200584404115575","324916189533104502194359447110009875807","138764542055880364928204930256352419840","146103464064372951264048699517613775573","6270207401994686947099272090192686013","30164083190354049957389761680047008013","74221046007737194667233700832096575063","228252480631705538231742767406619682407","22492156979977295798095182627872838035","31133979089634078623668486667043461080","60589161606239541530292977430291225801","79833116189996246325763992945216508705","21133483344499622561215568506296204047","268245298036413543952179369188266135625","88782410469043552503251570297246250434","268910806458056956348636141379258945740","53357948951561565206560574069236934778","310040829824071364552459800808268420305","122504346484478287434413399803169473137","282596664588746285551602688336961958615","304059659473115756915233644411737299832","123801798367134975462997417348237060122","121665763636476463751885739650815948483","63908884897072704198123042693509587337","19985124781375086165144574996702862129","136847701873993135194624429221300571733","290727991407667733996424948630674831692","268767516241136795539513431389130295542","122684162537915230232268244634080548700","232241272674342874416045558473089824839","333103102776945917657126086317281240904","312083599223791841006018271297194341200"],"threshold":0.9},"id":"ASB-A-213850092-0609e4bd","source":"https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3","target":{"file":"media/codec2/vndk/C2DmaBufAllocator.cpp"},"deprecated":false,"signature_version":"v1"},{"signature_type":"Function","digest":{"length":308,"function_hash":"84751803150063703769184018163581837046"},"id":"ASB-A-213850092-58f7ed62","source":"https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3","target":{"function":"C2DmaBufAllocation::~C2DmaBufAllocation","file":"media/codec2/vndk/C2DmaBufAllocator.cpp"},"deprecated":false,"signature_version":"v1"},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-213850092-8c6acba6","source":"https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3","target":{"function":"C2DmaBufAllocation::unmap","file":"media/codec2/vndk/C2DmaBufAllocator.cpp"},"deprecated":false,"digest":{"length":784,"function_hash":"167525502730782928918426667957436792503"}},{"signature_type":"Function","signature_version":"v1","id":"ASB-A-213850092-d009792b","source":"https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3","target":{"function":"C2DmaBufAllocation::map","file":"media/codec2/vndk/C2DmaBufAllocator.cpp"},"deprecated":false,"digest":{"length":718,"function_hash":"81310799912256614906691639230053021652"}}],"severity":"High","types":["ID"],"spl":"2022-07-01","fixes":["https://android.googlesource.com/platform/frameworks/av/+/5cbca291a6d288fa6d471c0dc223537ca12700d3"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-213850092.json"}}],"schema_version":"1.7.5"}