{"id":"ASB-A-227618988","details":"In read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-227618988","CVE-2022-20140"],"modified":"2026-05-01T15:24:27.653932Z","published":"2022-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/system/bt/+/7056e665e7d4782af9474b1645c59afbb2b76efd"}],"affected":[{"package":{"name":"platform/packages/modules/Bluetooth","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L-next:0"},{"fixed":"12L-next:2022-06-01"}]}],"versions":["12L-next"],"ecosystem_specific":{"severity":"Critical","types":["EoP"],"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/bad21c8ef4c494648d6883631077d429bce5e496"],"vanir_signatures":[{"id":"ASB-A-227618988-7f99c528","target":{"file":"system/stack/gatt/gatt_sr.cc","function":"build_read_multi_rsp"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/bad21c8ef4c494648d6883631077d429bce5e496","digest":{"function_hash":"233824492755109360476512271087818456289","length":1800},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"ASB-A-227618988-bb1388df","target":{"file":"system/stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/bad21c8ef4c494648d6883631077d429bce5e496","digest":{"line_hashes":["185620860055585878484986184931846809734","103264294277517750908687834421905370315","178556365301647303878227253408669331022","70410220941579404286973999048523193428"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1"}],"spl":"2022-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-227618988.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-06-01"}]}],"versions":["12"],"ecosystem_specific":{"severity":"Critical","types":["EoP"],"fixes":["https://android.googlesource.com/platform/system/bt/+/7056e665e7d4782af9474b1645c59afbb2b76efd"],"vanir_signatures":[{"id":"ASB-A-227618988-225da685","target":{"file":"stack/gatt/gatt_sr.cc","function":"build_read_multi_rsp"},"source":"https://android.googlesource.com/platform/system/bt/+/7056e665e7d4782af9474b1645c59afbb2b76efd","digest":{"function_hash":"233824492755109360476512271087818456289","length":1800},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"ASB-A-227618988-ac934300","target":{"file":"stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/7056e665e7d4782af9474b1645c59afbb2b76efd","digest":{"line_hashes":["185620860055585878484986184931846809734","103264294277517750908687834421905370315","178556365301647303878227253408669331022","70410220941579404286973999048523193428"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1"}],"spl":"2022-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-227618988.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-06-01"}]}],"versions":["12L"],"ecosystem_specific":{"severity":"Critical","types":["EoP"],"fixes":["https://android.googlesource.com/platform/system/bt/+/7056e665e7d4782af9474b1645c59afbb2b76efd"],"vanir_signatures":[{"id":"ASB-A-227618988-6fcd5cb6","target":{"file":"stack/gatt/gatt_sr.cc","function":"build_read_multi_rsp"},"source":"https://android.googlesource.com/platform/system/bt/+/7056e665e7d4782af9474b1645c59afbb2b76efd","digest":{"function_hash":"233824492755109360476512271087818456289","length":1800},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"ASB-A-227618988-f46dc2c5","target":{"file":"stack/gatt/gatt_sr.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/7056e665e7d4782af9474b1645c59afbb2b76efd","digest":{"line_hashes":["185620860055585878484986184931846809734","103264294277517750908687834421905370315","178556365301647303878227253408669331022","70410220941579404286973999048523193428"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1"}],"spl":"2022-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-227618988.json"}}],"schema_version":"1.7.5"}