{"id":"ASB-A-228078096","details":"In read_attr_value of gatt_db.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-228078096","CVE-2022-20222"],"modified":"2026-04-22T14:59:17.843400Z","published":"2022-07-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-07-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/system/bt/+/a47b8c7e985fb5aa253c5b1367a631c9c028b4aa"}],"affected":[{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-07-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"target":{"function":"read_attr_value","file":"stack/gatt/gatt_db.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/6c01b49e627cd1dd29fe656d9cd5eb01205c8301","deprecated":false,"id":"ASB-A-228078096-c64731be","digest":{"length":2001,"function_hash":"237028429680686170678538706192668025085"},"signature_type":"Function","signature_version":"v1"},{"target":{"file":"stack/gatt/gatt_db.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/6c01b49e627cd1dd29fe656d9cd5eb01205c8301","deprecated":false,"id":"ASB-A-228078096-d2bc01b5","digest":{"threshold":0.9,"line_hashes":["271746948007969399780649439146152314031","299042952866365987543762007777832047713","318243900175279289348924400889235391181","289412709252196214277184826095030737563","17781346145243886110576082688024869423","56659749081856240233204289263814143202","88485116540816326733942640167814252172"]},"signature_type":"Line","signature_version":"v1"}],"spl":"2022-07-01","fixes":["https://android.googlesource.com/platform/system/bt/+/6c01b49e627cd1dd29fe656d9cd5eb01205c8301"],"types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-228078096.json"}},{"package":{"name":"platform/system/bt","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-07-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"target":{"function":"read_attr_value","file":"stack/gatt/gatt_db.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/6c01b49e627cd1dd29fe656d9cd5eb01205c8301","deprecated":false,"id":"ASB-A-228078096-40d78136","digest":{"length":2001,"function_hash":"237028429680686170678538706192668025085"},"signature_type":"Function","signature_version":"v1"},{"target":{"file":"stack/gatt/gatt_db.cc"},"source":"https://android.googlesource.com/platform/system/bt/+/6c01b49e627cd1dd29fe656d9cd5eb01205c8301","deprecated":false,"id":"ASB-A-228078096-478465d2","digest":{"threshold":0.9,"line_hashes":["271746948007969399780649439146152314031","299042952866365987543762007777832047713","318243900175279289348924400889235391181","289412709252196214277184826095030737563","17781346145243886110576082688024869423","56659749081856240233204289263814143202","88485116540816326733942640167814252172"]},"signature_type":"Line","signature_version":"v1"}],"spl":"2022-07-01","fixes":["https://android.googlesource.com/platform/system/bt/+/6c01b49e627cd1dd29fe656d9cd5eb01205c8301"],"types":["RCE"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-228078096.json"}}],"schema_version":"1.7.5"}