SB2022031038 - Multiple vulnerabilities in Google Pixel

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022031038

SB2022031038 - Multiple vulnerabilities in Google Pixel

Published: March 10, 2022 Updated: September 19, 2025

Security Bulletin ID SB2022031038
Severity
High
Patch available
YES
Number of vulnerabilities 41
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 12% Medium 10% Low 78%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 41 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-39734)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions within the Telephony component. A local application can escalate privileges on the system.


2) Input validation error (CVE-ID: CVE-2021-30299)

The vulnerability allows a malicious application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the Audio component. A local application can trigger a boundary error and execute arbitrary code with elevated privileges.


3) Information disclosure (CVE-ID: CVE-2021-30331)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output in Data Modem. A local application can send a specially crafted external command via DIAG interface and gain unauthorized access to sensitive information on the system.


4) Input validation error (CVE-ID: CVE-2021-39710)

The vulnerability allows a local application to elevate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input within the Telephony component. A local application can execute arbitrary code with elevated privileges.


5) Double Free (CVE-ID: CVE-2021-22600)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the packet_set_ring() function in net/packet/af_packet.c. A local user can pass specially crafted data to the application, trigger double free error and escalate privileges on the system.

Note, the vulnerability is being actively exploited in the wild against Android users.


6) Type Confusion (CVE-ID: CVE-2021-33624)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a type confusion error within kernel/bpf/verifier.c in the Linux kernel. A an unprivileged BPF program can read arbitrary memory locations via a side-channel attack.


7) Out-of-bounds write (CVE-ID: CVE-2021-39793)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the kbase_jd_user_buf_pin_pages() function in mali_kbase_mem.c. A malicious application can trigger an out-of-bounds write and execute arbitrary code with elevated privileges.

Note, the vulnerability is being actively exploited in the wild.


8) Buffer overflow (CVE-ID: CVE-2021-43267)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in net/tipc/crypto.c in the Linux kernel. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.

A remote attacker can send specially crafted MSG_CRYPTO messages to the affected system, trigger memory corruption and execute arbitrary code on the system.


9) Double Free (CVE-ID: CVE-2021-37159)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to hso_free_net_device() function in drivers/net/usb/hso.c in the Linux kernel calls unregister_netdev without checking for the NETREG_REGISTERED state. A local user can trigger double free and use-after-free errors and execute arbitrary code with elevated privileges.


10) Race condition (CVE-ID: CVE-2021-39712)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in Linux kernel. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.


11) Security features bypass (CVE-ID: CVE-2021-39713)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to multiple issues in Qdisc implementation related to rcu read lock. A local application can execute arbitrary code with elevated privileges.


12) Integer overflow (CVE-ID: CVE-2021-39714)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to integer overflow within the ion_buffer_kmap_get() function in ion.c. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.


13) Out-of-bounds write (CVE-ID: CVE-2021-41864)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing untrusted input. A local user can gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information.


14) Information disclosure (CVE-ID: CVE-2021-21781)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output in the ARM SIGPAGE functionality. A userland application can read the contents of the sigpage, which can leak kernel memory contents.


15) Out-of-bounds read (CVE-ID: CVE-2021-39711)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to Incorrect Size Value when processing files in bpf_prog_test_run_skb of test_run.c. A local user with System execution privileges can trigger out-of-bounds read error and read contents of memory on the system.


16) Heap-based buffer overflow (CVE-ID: CVE-2021-25479)

The vulnerability allows a local application to elevate privileges on the system.

The vulnerability exists due to a boundary error within the LTE RRC Reconfiguration. A malicious application can trigger a heap-based buffer overflow and execute arbitrary code with elevated privileges.


17) Memory leak (CVE-ID: CVE-2021-39715)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due memory leak within the __show_regs() function in process.c. A local application can gain access to sensitive information on the system.


18) Out-of-bounds read (CVE-ID: CVE-2021-39792)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the usb_gadget_giveback_request() function inf core.c. A local application can trigger an out-of-bounds read error and read contents of memory on the system.


19) Out-of-bounds write (CVE-ID: CVE-2021-43975)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the hw_atl_utils_fw_rpc_wait() function in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c in Linux kernel. A local user can attach a specially crafted device to the system, trigger an out-of-bounds write and execute arbitrary code with elevated privileges.


20) Input validation error (CVE-ID: CVE-2021-39720)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input within the Modem subsystem in Android Pixel. A remote attacker can pass specially crafted input to the system and execute arbitrary code.


21) Input validation error (CVE-ID: CVE-2021-39723)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input within the Modem subsystem in Android Pixel. A remote attacker can pass specially crafted input to the system and execute arbitrary code.

22) Input validation error (CVE-ID: CVE-2021-39737)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input within the Modem subsystem in Android Pixel. A remote attacker can pass specially crafted input to the system and execute arbitrary code.

23) Input validation error (CVE-ID: CVE-2021-25279)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input within the Modem subsystem in Android Pixel. A local application can execute arbitrary code with elevated privileges.


24) Stack-based buffer overflow (CVE-ID: CVE-2021-25478)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in LTE RRC Connection Reconfiguration. A local application can trigger a stack-based buffer overflow and execute arbitrary code with elevated privileges.


25) Race condition (CVE-ID: CVE-2021-39727)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a race condition in eicPresentationRetrieveEntryValue of acropora/app/identity/libeic/EicPresentation.c. A local application with system privileges can exploit the race and gain unauthorized access to sensitive information.


26) Out-of-bounds read (CVE-ID: CVE-2021-39726)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to an incorrect bounds check in cd_ParseMsg of cd_codec.c when processing files. A local application can trigger out-of-bounds read error and read contents of memory on the system.


27) Out-of-bounds write (CVE-ID: CVE-2021-39718)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in ProtocolStkProactiveCommandAdapter::Init() function of protocolstkadapter.cpp when processing untrusted input. A local application with system privileges can trigger out-of-bounds write and escalate privileges on the system.


28) Integer overflow (CVE-ID: CVE-2021-39719)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to integer overflow in lwis_top_register_io of lwis_device_top.c. A local application with system privileges can trigger integer overflow and escalate privileges on the system.


29) Out-of-bounds write (CVE-ID: CVE-2021-39721)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to memory corruption error that can lead to out of bounds write. A local application with system privileges can trigger out-of-bounds write and escalate privileges on the system.


30) Double Free (CVE-ID: CVE-2021-39725)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in gasket_free_coherent_memory_all of gasket_page_table.c. A local application with system privileges can trigger double free error and escalate privileges on the system.


31) Out-of-bounds write (CVE-ID: CVE-2021-39729)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to missing bounds check that can lead to out of bounds write. A local application with system privileges can trigger out-of-bounds write and escalate privileges on the system.


32) Out-of-bounds write (CVE-ID: CVE-2021-39731)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to incorrect bounds check in ProtocolStkProactiveCommandAdapter::Init() function of protocolstkadapter.cpp. A local application with system privileges can trigger out-of-bounds write and escalate privileges on the system.


33) Integer overflow (CVE-ID: CVE-2021-39732)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to integer overflow in copy_io_entries of lwis_ioctl.c. A local application can trigger integer overflow and escalate privileges on the system.


34) Input validation error (CVE-ID: CVE-2021-39733)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in amcs_cdev_unlocked_ioctl of audiometrics.c. A local application with system privileges can trigger the vulnerability and escalate privileges on the system.


35) Race condition (CVE-ID: CVE-2021-39735)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a race condition in gasket_alloc_coherent_memory of gasket_page_table.c. A local application with system privileges can exploit the race and escalate privileges on the system.


36) Integer overflow (CVE-ID: CVE-2021-39736)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to integer overflow in prepare_io_entry and prepare_response of lwis_ioctl.c and lwis_periodic_io.c. A local application with system privileges can trigger integer overflow and escalate privileges on the system.


37) Information disclosure (CVE-ID: CVE-2021-39716)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A local application can gain unauthorized access to sensitive information on the system.


38) Out-of-bounds read (CVE-ID: CVE-2021-39717)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to an incorrect bounds check in iaxxx_btp_write_words of iaxxx-btp.c when processing files. A local application with system privileges can trigger out-of-bounds read error and read contents of memory on the system.


39) Out-of-bounds read (CVE-ID: CVE-2021-39722)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to an incorrect bounds check in ProtocolStkProactiveCommandAdapter::Init() function of protocolstkadapter.cpp when processing files. A local application with system privileges can trigger out-of-bounds read error and read contents of memory on the system.


40) Out-of-bounds read (CVE-ID: CVE-2021-39724)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to a missing bounds check in TuningProviderBase::GetTuningTreeSet() function of tuning_provider_base.cc when processing files. A local application with system privileges can trigger out-of-bounds read error and read contents of memory on the system.


41) Out-of-bounds read (CVE-ID: CVE-2021-39730)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to a missing bounds check when processing files. A local application with system privileges can trigger out-of-bounds read error and read contents of memory on the system.


Remediation

Install update from vendor's website.

References