{"id":"ASB-A-224314979","details":"In transportDec_OutOfBandConfig of  tpdec_lib.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-224314979","CVE-2022-20130"],"modified":"2026-04-28T15:17:37.552933Z","published":"2022-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/external/aac/+/eb07c22519d94e573f2a02947094acd2219dc07a"}],"affected":[{"package":{"name":"platform/external/aac","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L-next:0"},{"fixed":"12L-next:2022-06-01"}]}],"versions":["12L-next"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Function","id":"ASB-A-224314979-45959e09","digest":{"function_hash":"14688623539237930573622344493800917118","length":2284},"source":"https://android.googlesource.com/platform/external/aac/+/067929dcd3467fd8e1383303efaff2cfc37224e9","target":{"function":"transportDec_OutOfBandConfig","file":"libMpegTPDec/src/tpdec_lib.cpp"},"signature_version":"v1","deprecated":false},{"signature_type":"Line","id":"ASB-A-224314979-885abf8a","digest":{"line_hashes":["41834245073546748005348337198116649443","296567283181987654677179610525862122783","108587633537507210242609878158511307392","263040339922716737265934089119049662491","13461143593537092071846640702810093743"],"threshold":0.9},"source":"https://android.googlesource.com/platform/external/aac/+/067929dcd3467fd8e1383303efaff2cfc37224e9","target":{"file":"libMpegTPDec/src/tpdec_lib.cpp"},"signature_version":"v1","deprecated":false}],"severity":"Critical","types":["RCE"],"spl":"2022-06-01","fixes":["https://android.googlesource.com/platform/external/aac/+/067929dcd3467fd8e1383303efaff2cfc37224e9"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-224314979.json"}},{"package":{"name":"platform/external/aac","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-06-01"}]}],"versions":["10"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Function","id":"ASB-A-224314979-15504185","digest":{"function_hash":"14688623539237930573622344493800917118","length":2284},"source":"https://android.googlesource.com/platform/external/aac/+/eb07c22519d94e573f2a02947094acd2219dc07a","target":{"function":"transportDec_OutOfBandConfig","file":"libMpegTPDec/src/tpdec_lib.cpp"},"signature_version":"v1","deprecated":false},{"signature_type":"Line","id":"ASB-A-224314979-faefdf1e","digest":{"line_hashes":["41834245073546748005348337198116649443","296567283181987654677179610525862122783","108587633537507210242609878158511307392","263040339922716737265934089119049662491","13461143593537092071846640702810093743"],"threshold":0.9},"source":"https://android.googlesource.com/platform/external/aac/+/eb07c22519d94e573f2a02947094acd2219dc07a","target":{"file":"libMpegTPDec/src/tpdec_lib.cpp"},"signature_version":"v1","deprecated":false}],"severity":"Critical","types":["RCE"],"spl":"2022-06-01","fixes":["https://android.googlesource.com/platform/external/aac/+/eb07c22519d94e573f2a02947094acd2219dc07a"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-224314979.json"}},{"package":{"name":"platform/external/aac","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-06-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","id":"ASB-A-224314979-096f7809","digest":{"line_hashes":["41834245073546748005348337198116649443","296567283181987654677179610525862122783","108587633537507210242609878158511307392","263040339922716737265934089119049662491","13461143593537092071846640702810093743"],"threshold":0.9},"source":"https://android.googlesource.com/platform/external/aac/+/6a3817573b089f01b13f4f3a195dda8a345d8fe0","target":{"file":"libMpegTPDec/src/tpdec_lib.cpp"},"signature_version":"v1","deprecated":false},{"signature_type":"Function","id":"ASB-A-224314979-4a17c1c2","digest":{"function_hash":"14688623539237930573622344493800917118","length":2284},"source":"https://android.googlesource.com/platform/external/aac/+/6a3817573b089f01b13f4f3a195dda8a345d8fe0","target":{"function":"transportDec_OutOfBandConfig","file":"libMpegTPDec/src/tpdec_lib.cpp"},"signature_version":"v1","deprecated":false}],"severity":"Critical","types":["RCE"],"spl":"2022-06-01","fixes":["https://android.googlesource.com/platform/external/aac/+/6a3817573b089f01b13f4f3a195dda8a345d8fe0"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-224314979.json"}},{"package":{"name":"platform/external/aac","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-06-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Function","id":"ASB-A-224314979-22721a4c","digest":{"function_hash":"14688623539237930573622344493800917118","length":2284},"source":"https://android.googlesource.com/platform/external/aac/+/23ef1ac38c2dae4cd755880fc8f98491efd26027","target":{"function":"transportDec_OutOfBandConfig","file":"libMpegTPDec/src/tpdec_lib.cpp"},"signature_version":"v1","deprecated":false},{"signature_type":"Line","id":"ASB-A-224314979-fb38480f","digest":{"line_hashes":["41834245073546748005348337198116649443","296567283181987654677179610525862122783","108587633537507210242609878158511307392","263040339922716737265934089119049662491","13461143593537092071846640702810093743"],"threshold":0.9},"source":"https://android.googlesource.com/platform/external/aac/+/23ef1ac38c2dae4cd755880fc8f98491efd26027","target":{"file":"libMpegTPDec/src/tpdec_lib.cpp"},"signature_version":"v1","deprecated":false}],"severity":"Critical","types":["RCE"],"spl":"2022-06-01","fixes":["https://android.googlesource.com/platform/external/aac/+/23ef1ac38c2dae4cd755880fc8f98491efd26027"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-224314979.json"}},{"package":{"name":"platform/external/aac","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-06-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","id":"ASB-A-224314979-12997a9a","digest":{"line_hashes":["41834245073546748005348337198116649443","296567283181987654677179610525862122783","108587633537507210242609878158511307392","263040339922716737265934089119049662491","13461143593537092071846640702810093743"],"threshold":0.9},"source":"https://android.googlesource.com/platform/external/aac/+/2768a078f34a4d6cdb05916ad0e1f02d4c73fb6b","target":{"file":"libMpegTPDec/src/tpdec_lib.cpp"},"signature_version":"v1","deprecated":false},{"signature_type":"Function","id":"ASB-A-224314979-9cdb4d92","digest":{"function_hash":"14688623539237930573622344493800917118","length":2284},"source":"https://android.googlesource.com/platform/external/aac/+/2768a078f34a4d6cdb05916ad0e1f02d4c73fb6b","target":{"function":"transportDec_OutOfBandConfig","file":"libMpegTPDec/src/tpdec_lib.cpp"},"signature_version":"v1","deprecated":false}],"severity":"Critical","types":["RCE"],"spl":"2022-06-01","fixes":["https://android.googlesource.com/platform/external/aac/+/2768a078f34a4d6cdb05916ad0e1f02d4c73fb6b"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-224314979.json"}}],"schema_version":"1.7.5"}