{"id":"ASB-A-239210579","details":"In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-239210579","CVE-2022-20472"],"modified":"2026-05-29T15:55:33.750044621Z","published":"2022-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/minikin/+/b215af1ecb2d5e9cec23444978fccc72d3821c98"}],"affected":[{"package":{"name":"platform/frameworks/minikin","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-12-01"}]}],"versions":["10"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/minikin/+/d8a427cc9c8a722b0911af5139b10b0a6aeb0e03"],"severity":"Critical","types":["RCE"],"spl":"2022-12-01","vanir_signatures":[{"signature_version":"v1","target":{"file":"libs/minikin/LocaleListCache.cpp","function":"toLanguageTag"},"signature_type":"Function","digest":{"length":1060,"function_hash":"152948757818298646151844135874724150576"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/d8a427cc9c8a722b0911af5139b10b0a6aeb0e03","deprecated":false,"id":"ASB-A-239210579-be0859dd"},{"deprecated":false,"target":{"file":"libs/minikin/LocaleListCache.cpp"},"signature_type":"Line","digest":{"line_hashes":["311606954623645014405006219303463805465","241199747390157345748406894549090239946","285900964479397606537853783197812129489","197897737091753768722222239047080504598","71759189750102407818191791820821522474","157532236812911576354397536908371080903","292516064325142511290277124646580853728","100923073751965899328259216077403220810"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/d8a427cc9c8a722b0911af5139b10b0a6aeb0e03","signature_version":"v1","id":"ASB-A-239210579-c3e08b40"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239210579.json"}},{"package":{"name":"platform/frameworks/minikin","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-12-01"}]}],"versions":["11"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/minikin/+/df1b59a77619ce831d8e5078c125cc2557a9ea35"],"severity":"Critical","types":["RCE"],"spl":"2022-12-01","vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/minikin/+/df1b59a77619ce831d8e5078c125cc2557a9ea35","signature_type":"Line","digest":{"line_hashes":["311606954623645014405006219303463805465","241199747390157345748406894549090239946","285900964479397606537853783197812129489","197897737091753768722222239047080504598","71759189750102407818191791820821522474","157532236812911576354397536908371080903","292516064325142511290277124646580853728","100923073751965899328259216077403220810"],"threshold":0.9},"target":{"file":"libs/minikin/LocaleListCache.cpp"},"signature_version":"v1","id":"ASB-A-239210579-5e49c3b5"},{"deprecated":false,"target":{"file":"libs/minikin/LocaleListCache.cpp","function":"toLanguageTag"},"signature_type":"Function","digest":{"length":1148,"function_hash":"44544224249926763090065890534562730262"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/df1b59a77619ce831d8e5078c125cc2557a9ea35","signature_version":"v1","id":"ASB-A-239210579-9604c377"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239210579.json"}},{"package":{"name":"platform/frameworks/minikin","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-12-01"}]}],"versions":["12"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/minikin/+/fde7f4a25ca4f1405bea3816c71cea64d80a9c81"],"severity":"Critical","types":["RCE"],"spl":"2022-12-01","vanir_signatures":[{"deprecated":false,"target":{"file":"libs/minikin/LocaleListCache.cpp"},"signature_type":"Line","digest":{"line_hashes":["311606954623645014405006219303463805465","241199747390157345748406894549090239946","285900964479397606537853783197812129489","197897737091753768722222239047080504598","71759189750102407818191791820821522474","157532236812911576354397536908371080903","292516064325142511290277124646580853728","100923073751965899328259216077403220810"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/fde7f4a25ca4f1405bea3816c71cea64d80a9c81","signature_version":"v1","id":"ASB-A-239210579-28e85dc8"},{"signature_version":"v1","target":{"file":"libs/minikin/LocaleListCache.cpp","function":"toLanguageTag"},"signature_type":"Function","digest":{"length":1148,"function_hash":"44544224249926763090065890534562730262"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/fde7f4a25ca4f1405bea3816c71cea64d80a9c81","deprecated":false,"id":"ASB-A-239210579-72f10ff2"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239210579.json"}},{"package":{"name":"platform/frameworks/minikin","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-12-01"}]}],"versions":["12L"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/minikin/+/c2380d94c6ed84542dd201c039a079cbf927bd24"],"spl":"2022-12-01","severity":"Critical","types":["RCE"],"vanir_signatures":[{"signature_version":"v1","target":{"file":"libs/minikin/LocaleListCache.cpp","function":"toLanguageTag"},"signature_type":"Function","digest":{"length":1148,"function_hash":"44544224249926763090065890534562730262"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/c2380d94c6ed84542dd201c039a079cbf927bd24","deprecated":false,"id":"ASB-A-239210579-5f962a9b"},{"signature_version":"v1","target":{"file":"libs/minikin/LocaleListCache.cpp"},"signature_type":"Line","digest":{"line_hashes":["311606954623645014405006219303463805465","241199747390157345748406894549090239946","285900964479397606537853783197812129489","197897737091753768722222239047080504598","71759189750102407818191791820821522474","157532236812911576354397536908371080903","292516064325142511290277124646580853728","100923073751965899328259216077403220810"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/c2380d94c6ed84542dd201c039a079cbf927bd24","deprecated":false,"id":"ASB-A-239210579-a1d5b13c"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239210579.json"}},{"package":{"name":"platform/frameworks/minikin","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-12-01"}]}],"versions":["13"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/minikin/+/d5d0c70c3c73167a6564dc3e8843ab1f567b4676"],"spl":"2022-12-01","severity":"Critical","types":["RCE"],"vanir_signatures":[{"signature_version":"v1","target":{"file":"libs/minikin/LocaleListCache.cpp"},"signature_type":"Line","digest":{"line_hashes":["311606954623645014405006219303463805465","241199747390157345748406894549090239946","285900964479397606537853783197812129489","197897737091753768722222239047080504598","71759189750102407818191791820821522474","157532236812911576354397536908371080903","292516064325142511290277124646580853728","100923073751965899328259216077403220810"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/d5d0c70c3c73167a6564dc3e8843ab1f567b4676","deprecated":false,"id":"ASB-A-239210579-248e174e"},{"signature_version":"v1","target":{"file":"libs/minikin/LocaleListCache.cpp","function":"toLanguageTag"},"signature_type":"Function","digest":{"length":1148,"function_hash":"44544224249926763090065890534562730262"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/d5d0c70c3c73167a6564dc3e8843ab1f567b4676","deprecated":false,"id":"ASB-A-239210579-e3bb318f"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239210579.json"}}],"schema_version":"1.7.5"}