{"id":"ASB-A-239267173","details":"In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-239267173","CVE-2022-20473"],"modified":"2026-04-30T15:48:46.890647Z","published":"2022-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/minikin/+/c77b7cd6c1f57a43bcbf8bd012b84aa9d77746e2"}],"affected":[{"package":{"name":"platform/frameworks/minikin","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-12-01"}]}],"versions":["10"],"ecosystem_specific":{"spl":"2022-12-01","vanir_signatures":[{"target":{"file":"libs/minikin/LocaleListCache.cpp"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d","deprecated":false,"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["164770276943141582052722884901448753939","226110374688780666042726420171495378549","37258808521350274540810683463877721557","201172805881024670900963815845901526338"],"threshold":0.9},"id":"ASB-A-239267173-225cce11"},{"target":{"file":"libs/minikin/LocaleListCache.cpp","function":"toLanguageTag"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d","deprecated":false,"signature_version":"v1","signature_type":"Function","digest":{"function_hash":"198706616613895809767354008574302764265","length":1152},"id":"ASB-A-239267173-7ce2f1ff"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239267173.json"}},{"package":{"name":"platform/frameworks/minikin","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-12-01"}]}],"versions":["11"],"ecosystem_specific":{"spl":"2022-12-01","vanir_signatures":[{"target":{"file":"libs/minikin/LocaleListCache.cpp","function":"toLanguageTag"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d","deprecated":false,"signature_version":"v1","signature_type":"Function","digest":{"function_hash":"198706616613895809767354008574302764265","length":1152},"id":"ASB-A-239267173-08371c85"},{"target":{"file":"libs/minikin/LocaleListCache.cpp"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d","deprecated":false,"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["164770276943141582052722884901448753939","226110374688780666042726420171495378549","37258808521350274540810683463877721557","201172805881024670900963815845901526338"],"threshold":0.9},"id":"ASB-A-239267173-85650455"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239267173.json"}},{"package":{"name":"platform/frameworks/minikin","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-12-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2022-12-01","vanir_signatures":[{"target":{"file":"libs/minikin/LocaleListCache.cpp"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d","deprecated":false,"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["164770276943141582052722884901448753939","226110374688780666042726420171495378549","37258808521350274540810683463877721557","201172805881024670900963815845901526338"],"threshold":0.9},"id":"ASB-A-239267173-3c1f1bb7"},{"target":{"file":"libs/minikin/LocaleListCache.cpp","function":"toLanguageTag"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d","deprecated":false,"signature_version":"v1","signature_type":"Function","digest":{"function_hash":"198706616613895809767354008574302764265","length":1152},"id":"ASB-A-239267173-4526d730"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239267173.json"}},{"package":{"name":"platform/frameworks/minikin","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-12-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2022-12-01","vanir_signatures":[{"target":{"file":"libs/minikin/LocaleListCache.cpp","function":"toLanguageTag"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d","deprecated":false,"signature_version":"v1","signature_type":"Function","digest":{"function_hash":"198706616613895809767354008574302764265","length":1152},"id":"ASB-A-239267173-59b0ed84"},{"target":{"file":"libs/minikin/LocaleListCache.cpp"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d","deprecated":false,"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["164770276943141582052722884901448753939","226110374688780666042726420171495378549","37258808521350274540810683463877721557","201172805881024670900963815845901526338"],"threshold":0.9},"id":"ASB-A-239267173-d044e270"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239267173.json"}},{"package":{"name":"platform/frameworks/minikin","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-12-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2022-12-01","vanir_signatures":[{"target":{"file":"libs/minikin/LocaleListCache.cpp","function":"toLanguageTag"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d","deprecated":false,"signature_version":"v1","signature_type":"Function","digest":{"function_hash":"198706616613895809767354008574302764265","length":1152},"id":"ASB-A-239267173-6608846d"},{"target":{"file":"libs/minikin/LocaleListCache.cpp"},"source":"https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d","deprecated":false,"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["164770276943141582052722884901448753939","226110374688780666042726420171495378549","37258808521350274540810683463877721557","201172805881024670900963815845901526338"],"threshold":0.9},"id":"ASB-A-239267173-8ffe1fd8"}],"types":["RCE"],"fixes":["https://android.googlesource.com/platform/frameworks/minikin/+/a8265407660edaa1006545a6401d6409c05acb5d"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239267173.json"}}],"schema_version":"1.7.5"}