{"id":"ASB-A-235601882","details":"In getSecurityLevel and setSecurityLevel of DrmPlugin.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-235601882","CVE-2022-2209"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2022-11-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-11-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/av/+/0a9d181281753f911524291ffa6d1b677e36b589"}],"affected":[{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-11-01"}]}],"versions":["10"],"ecosystem_specific":{"vanir_signatures":[{"deprecated":false,"signature_version":"v1","signature_type":"Line","id":"ASB-A-235601882-20a8991b","source":"https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h"},"digest":{"threshold":0.9,"line_hashes":["206600570507894073295474146102703197710","301966792304269357357044127234123894811","98409775298683549229374608632735293169","48833439968210638194588226046263100831","16902199593063859955294065709048515752","67660272170768565958046819950078030261","176282012363886912556779996423863090481","213672981350529598701488189847833251319"]}},{"deprecated":false,"target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp","function":"DrmPlugin::getSecurityLevel"},"signature_type":"Function","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83","id":"ASB-A-235601882-43fe296c","digest":{"function_hash":"172008007703609653220403326307218805886","length":742}},{"deprecated":false,"target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp","function":"DrmPlugin::setSecurityLevel"},"signature_type":"Function","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83","id":"ASB-A-235601882-63ba17bf","digest":{"function_hash":"233893227726131803643634104514031723930","length":847}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp"},"source":"https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83","id":"ASB-A-235601882-72beb77e","digest":{"threshold":0.9,"line_hashes":["314820229105040400079662583446177036582","297080935891690787293348788050211519934","137688396380030244563965040015487994622","183541518758328601432741666417049390870","309426352547273010318657878085619773160","297535137879567466290138098861291579926"]}}],"types":["EoP"],"spl":"2022-11-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/av/+/dab37c25e3337387809fd35c7cd46abf76088b83"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-235601882.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-11-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"deprecated":false,"signature_version":"v1","signature_type":"Function","id":"ASB-A-235601882-2b284b60","source":"https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp","function":"DrmPlugin::getSecurityLevel"},"digest":{"function_hash":"172008007703609653220403326307218805886","length":742}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h"},"source":"https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b","id":"ASB-A-235601882-8831cc97","digest":{"threshold":0.9,"line_hashes":["206600570507894073295474146102703197710","301966792304269357357044127234123894811","98409775298683549229374608632735293169","48833439968210638194588226046263100831","336505106272266033407192897248095407303","61630820434863502233362681377103359044","177419212568401062821358697581796607386","56371828768409685143275251701015511120"]}},{"deprecated":false,"target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp"},"signature_type":"Line","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b","id":"ASB-A-235601882-e637783c","digest":{"threshold":0.9,"line_hashes":["314820229105040400079662583446177036582","297080935891690787293348788050211519934","137688396380030244563965040015487994622","183541518758328601432741666417049390870","309426352547273010318657878085619773160","297535137879567466290138098861291579926"]}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","digest":{"function_hash":"233893227726131803643634104514031723930","length":847},"source":"https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp","function":"DrmPlugin::setSecurityLevel"},"id":"ASB-A-235601882-f771dff5"}],"spl":"2022-11-01","severity":"High","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/av/+/d37b69272aa68a92357baa95d0eb87012666a90b"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-235601882.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-11-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"deprecated":false,"signature_version":"v1","signature_type":"Function","digest":{"function_hash":"172008007703609653220403326307218805886","length":742},"source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp","function":"DrmPlugin::getSecurityLevel"},"id":"ASB-A-235601882-50e3391a"},{"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp","function":"DrmPlugin::setSecurityLevel"},"source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","id":"ASB-A-235601882-8f1e1397","digest":{"function_hash":"233893227726131803643634104514031723930","length":847}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp"},"source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","id":"ASB-A-235601882-c977a9d1","digest":{"threshold":0.9,"line_hashes":["314820229105040400079662583446177036582","297080935891690787293348788050211519934","137688396380030244563965040015487994622","183541518758328601432741666417049390870","309426352547273010318657878085619773160","297535137879567466290138098861291579926"]}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h"},"source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","id":"ASB-A-235601882-e50df494","digest":{"threshold":0.9,"line_hashes":["339121784093313502615647951625042949295","280233560995947677736001774997186362359","208406105197990708023176398213145631936","48833439968210638194588226046263100831","336505106272266033407192897248095407303","61630820434863502233362681377103359044","177419212568401062821358697581796607386","56371828768409685143275251701015511120"]}}],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75"],"types":["EoP"],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-235601882.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-11-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp","function":"DrmPlugin::setSecurityLevel"},"signature_type":"Function","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","id":"ASB-A-235601882-1cb2cdd5","digest":{"function_hash":"233893227726131803643634104514031723930","length":847}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","digest":{"function_hash":"172008007703609653220403326307218805886","length":742},"source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp","function":"DrmPlugin::getSecurityLevel"},"id":"ASB-A-235601882-805b7597"},{"deprecated":false,"signature_version":"v1","signature_type":"Line","id":"ASB-A-235601882-d7cb7764","source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h"},"digest":{"threshold":0.9,"line_hashes":["339121784093313502615647951625042949295","280233560995947677736001774997186362359","208406105197990708023176398213145631936","48833439968210638194588226046263100831","336505106272266033407192897248095407303","61630820434863502233362681377103359044","177419212568401062821358697581796607386","56371828768409685143275251701015511120"]}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp"},"source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","id":"ASB-A-235601882-e76be90a","digest":{"threshold":0.9,"line_hashes":["314820229105040400079662583446177036582","297080935891690787293348788050211519934","137688396380030244563965040015487994622","183541518758328601432741666417049390870","309426352547273010318657878085619773160","297535137879567466290138098861291579926"]}}],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75"],"types":["EoP"],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-235601882.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-11-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp"},"source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","id":"ASB-A-235601882-6494ce29","digest":{"threshold":0.9,"line_hashes":["314820229105040400079662583446177036582","297080935891690787293348788050211519934","137688396380030244563965040015487994622","183541518758328601432741666417049390870","309426352547273010318657878085619773160","297535137879567466290138098861291579926"]}},{"deprecated":false,"target":{"file":"drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h"},"signature_type":"Line","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","id":"ASB-A-235601882-85673659","digest":{"threshold":0.9,"line_hashes":["339121784093313502615647951625042949295","280233560995947677736001774997186362359","208406105197990708023176398213145631936","48833439968210638194588226046263100831","336505106272266033407192897248095407303","61630820434863502233362681377103359044","177419212568401062821358697581796607386","56371828768409685143275251701015511120"]}},{"deprecated":false,"target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp","function":"DrmPlugin::getSecurityLevel"},"signature_type":"Function","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","id":"ASB-A-235601882-a5552b57","digest":{"function_hash":"172008007703609653220403326307218805886","length":742}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","digest":{"function_hash":"233893227726131803643634104514031723930","length":847},"source":"https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75","target":{"file":"drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp","function":"DrmPlugin::setSecurityLevel"},"id":"ASB-A-235601882-cf610d6b"}],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/av/+/9bfc2fbcc4be68bc8939a10dd7942845dc724f75"],"types":["EoP"],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-235601882.json"}}],"schema_version":"1.7.5"}