HUAWEI EMUI/Magic UI security updates September 2022
HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:
This security update includes the following third-party library patches:
This security update includes the CVE announced in the August 2022 Android security bulletin:
Critical: none
High: CVE-2021-39696, CVE-2022-20344, CVE-2022-20346, CVE-2022-20347, CVE-2022-20348, CVE-2022-20349, CVE-2022-20350, CVE-2022-20355, CVE-2022-20358, CVE-2022-22080
Medium: CVE-2021-3609, CVE-2022-1055, CVE-2022-20158, CVE-2022-20368, CVE-2022-20371, CVE-2022-27666, CVE-2022-29581
Low: none
Already included in previous updates: CVE-2022-20219, CVE-2022-21744, CVE-2022-20083, CVE-2022-20126, CVE-2022-20133, CVE-2021-35102, CVE-2021-35120, CVE-2021-30318, CVE-2021-1942, CVE-2021-35104
※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).
This security update includes the following HUAWEI patches:
CVE-2021-40019: Out-of-bounds heap read vulnerability in the HW_KEYMASTER module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may cause out-of-bounds access.
CVE-2021-40023: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2021-40024: Information leakage vulnerability in the interface implementation of the WLAN module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2021-46836: Information leakage vulnerability in the interface implementation of the WLAN module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2022-38978: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2022-38979: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2022-38987: Configuration defects in the secure OS module
Severity: Critical
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect service availability.
CVE-2022-38988: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2022-38989: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect service availability.
CVE-2022-38990: Configuration defects in the secure OS module
Severity: Critical
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect service availability.
CVE-2022-38991: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2022-38992: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2022-38993: Configuration defects in the secure OS module
Severity: Critical
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect service availability.
CVE-2022-38994: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2022-38995: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect service availability.
CVE-2022-38996: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect service availability.
CVE-2022-38997: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2022-38999: Improper update of reference count vulnerability in the AOD module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect integrity, confidentiality, and availability.
CVE-2022-39000: Malicious app control vulnerability in the iAware module
Severity: High
Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0
Impact: Successful exploitation of this vulnerability will cause malicious apps to automatically start upon system startup.
CVE-2022-39001: Path traversal vulnerability in the number identification module
Severity: High
Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0
Impact: Successful exploitation of this vulnerability will cause data leakage.
CVE-2022-39002: Double free vulnerability in the storage module
Severity: High
Affected versions: EMUI 11.0.0, Magic UI 4.0.0
Impact: Successful exploitation of this vulnerability will cause the memory to be freed twice.
CVE-2022-39003: Buffer overflow vulnerability in the video framework
Severity: Medium
Affected versions: EMUI 11.0.0, Magic UI 4.0.0
Impact: Successful exploitation of this vulnerability will affect the confidentiality and integrity of trusted components.
CVE-2022-39004: Memory leak vulnerability in the MPTCP module
Severity: High
Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0
Impact: Successful exploitation of this vulnerability can cause memory leak.
CVE-2022-39005: Memory leak vulnerability in the MPTCP module
Severity: Medium
Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0
Impact: Successful exploitation of this vulnerability can cause memory leak.
CVE-2022-39006: Race condition vulnerability in the MPTCP module
Severity: Critical
Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0
Impact: Successful exploitation of this vulnerability may cause the device to restart.
CVE-2022-39007: Permission verification bypass vulnerability in the Location module
Severity: High
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may lead to privilege escalation.
CVE-2022-39008: Bundle serialization/deserialization mismatch vulnerability in the NFC module
Severity: High
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may cause third-party apps to read and write arbitrary system app files.
CVE-2022-39009: Permission verification vulnerability in the WLAN module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may cause third-party apps to affect WLAN functions.
CVE-2022-39010: Permission control vulnerability in the HwChrService module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may cause third-party apps to obtain the user network information.
CVE-2020-36600: Out-of-bounds write vulnerability in the power consumption module
Severity: High
Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0
Impact: Successful exploitation of this vulnerability may cause the system to restart.
Acknowledgment: Wen Guanxing
CVE-2020-36601: Out-of-bounds write vulnerability in the kernel modules
Severity: Medium
Affected versions: EMUI 10.1.0, Magic UI 3.1.0
Impact: Successful exploitation of this vulnerability may cause a panic reboot.
Acknowledgment: Wen Guanxing
- en