October

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the September 2022 Android security bulletin:

Critical: none

High: CVE-2022-20395, CVE-2022-22822, CVE-2022-23852, CVE-2022-23990, CVE-2022-25314, CVE-2022-25704, CVE-2022-22095, CVE-2021-0697, CVE-2021-0871, CVE-2021-0942, CVE-2021-0943, CVE-2022-25670

Medium: CVE-2022-28388, CVE-2022-20254, CVE-2022-20268, CVE-2022-20274, CVE-2022-20308, CVE-2022-20325, CVE-2022-20331

Low: none

Already included in previous updates: CVE-2022-20361, CVE-2022-20082, CVE-2022-20081, CVE-2021-39765, CVE-2022-25657, CVE-2022-22082, CVE-2022-22083, CVE-2022-22084, CVE-2022-22085, CVE-2022-22086, CVE-2022-22087, CVE-2021-0698, CVE-2021-0887, CVE-2021-0891, CVE-2021-0946, CVE-2021-0947, CVE-2021-39815, CVE-2022-20122

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40017: Vunerability of not verifying the validity of the key's format in the HW_KEYMASTER module

Severity: Critical

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause out-of-bounds access.

CVE-2021-46839: Lack of length check vulnerability in the HW_KEYMASTER module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers can construct malicious data and cause out-of-bounds access.

CVE-2021-46840: Out-of-bounds access vulnerability in parameter set verification of the HW_KEYMASTER module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers can construct malicious data and cause out-of-bounds access.

CVE-2022-38983: UAF vulnerability in the BT Hfp Client module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause arbitrary code execution.

CVE-2022-38984: Vulnerability of not verifying the data transferred by kernel space in the HIPP module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will cause out-of-bounds read, affecting confidentiality.

Acknowledgment: Wen Guanxing

CVE-2022-38985: Input verification vulnerability in the facial recognition module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38986: Vulnerability of bypassing the check of data transferred by kernel space in the HIPP module

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause out-of-bounds access to the HIPP module and page table tampering, affecting device confidentiality and availability.

Acknowledgment: Wen Guanxing

CVE-2022-38998: Vulnerability of not verifying the data transferred by kernel space in the HISP module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will cause out-of-bounds read, affecting confidentiality.

Acknowledgment: Wen Guanxing

CVE-2022-39011: Vulnerability of bypassing the check of data transferred by kernel space in the HISP module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause unauthorized access to the HISP module.

Acknowledgment: Wen Guanxing

CVE-2022-41576: boot.sh script that can be modified by malicious programs in the rphone module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability can cause irreversible program implantation on the user's device.

CVE-2022-41577: Vulnerability that kernel space does not verify the length of the data transferred by user space

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Out-of-bounds read may occur in the kernel, affecting device confidentiality and availability.

CVE-2022-41578: Out-of-bounds write vulnerability in the mptcp module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause attack programs to modify program information to implement root privilege escalation attacks.

CVE-2022-41580: Vulnerability of not verifying the read content in the HW_KEYMASTER module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers can construct malicious data and cause out-of-bounds access.

CVE-2022-41581: Vulnerability of not verifying the read content in the HW_KEYMASTER module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers can construct malicious data and cause out-of-bounds access.

CVE-2022-41582: Configuration defects.in the security module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2022-41583: Array out-of-bounds read vulnerability in the storage maintenance and debugging module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will cause some statistics of the module to be abnormal.

CVE-2022-41584: Out-of-bounds read vulnerability in the kernel module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause memory overwritting.

CVE-2022-41585: Out-of-bounds read vulnerability in the kernel module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause memory overwritting.

CVE-2022-41586: Untruncated data vulnerability in the communication framework module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-41587: Uncaptured exceptions in the home screen module

Severity: Medium

Affected versions: EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect stability.

CVE-2022-41588: Service logic exception vulnerability in the home screen module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2022-41589: Interface misuse vulnerability in the Maple DFX stack module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability can affect system services and device availability.

CVE-2022-41592: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41593: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41594: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41595: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41597: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41598: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41600: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41601: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41602: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.

CVE-2022-41603: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Attackers with the root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.