This report provides details for a vulnerability, CVE-2022-22292, discovered by Kryptowire that is present in various Samsung Android devices running Android versions 9, 10, 11, and 12. The vulnerability allows any local app on the device (including third-party apps with zero permissions) to provide arbitrary
Intent
objects that will be used by a pre-installed app (com.android.server.telecom
) executing as the system user to start an activity app component (even those that are not exported) of the attacker’s choosing, affecting Android versions 10, 11, and 12.The same vulnerability is present on Android 9, although it allows zero-permission third-party apps to provide arbitrary
Intent
objects that are sent to broadcast receiver app components by the same vulnerable pre-installed app executing as thesystem
user (instead of being used to start arbitrary activity app components in more recent Android versions). This vulnerability allows a third-party app to provide arbitraryIntent
objects that will be started by a pre-installed app executing as thesystem
user with all its permissions, privileges, and capabilities. Start arbitrary activity app components as the system user vulnerability Affecting Samsung Android devices
so.cl
CVE-2022-22292 - Vulnerability affecting Samsung Android devices
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer
CVE-2022-22292 - Vulnerability affecting Samsung Android devices