HUAWEI EMUI/Magic UI security updates July 2023
HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:
This security update includes the following third-party library patches:
This security update includes the CVE announced in the June 2023 Android security bulletin:
Critical: CVE-2023-21108, CVE-2023-21127
High: CVE-2023-21129, CVE-2023-21131, CVE-2023-21136, CVE-2023-21137, CVE-2023-21143, CVE-2023-21144, CVE-2023-21135, CVE-2023-21124, CVE-2023-21121, CVE-2023-21138, CVE-2023-21115, CVE-2023-21657, CVE-2022-28349, CVE-2021-0701, CVE-2021-0945, CVE-2023-21656, CVE-2023-21669
Medium: none
Low: none
Already included in previous updates: none
※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).
This security update includes the following HUAWEI patches:
CVE-2021-40014: Information management error vulnerability in the bone voice ID TA
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2021-40027: Vulnerability of buffer length calculation error in the bone voice ID TA
Severity: High
Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2021-40032: Information management error vulnerability in the bone voice ID TA
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2021-46890: Vulnerability of incomplete read and write permission verification in the GPU module
Severity: Critical
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability.
CVE-2021-46891: Vulnerability of incomplete read and write permission verification in the GPU module
Severity: Critical
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability.
CVE-2021-46892: Encryption bypass vulnerability in Maintenance mode
Severity: Medium
Affected versions: EMUI 12.0.1, EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2021-46893: Vulnerability of unstrict data verification and parameter check
Severity: Critical
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect integrity.
CVE-2021-46894: Use After Free (UAF) vulnerability in the uinput module
Severity: High
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may lead to kernel privilege escalation.
CVE-2022-48507: Vulnerability of identity verification being bypassed in the storage module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2022-48508: Inappropriate authorization vulnerability in the system apps
Severity: High
Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may affect service integrity.
CVE-2022-48509: Race condition vulnerability due to multi-thread access to mutually exclusive resources in HUAWEI Share
Severity: Medium
Affected versions: EMUI 12.0.1, EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may cause the program to exit abnormally.
CVE-2022-48510: Input verification vulnerability in the AMS module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will cause unauthorized operations.
CVE-2022-48511: Use After Free (UAF) vulnerability in the audio PCM driver module under special conditions
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may cause audio features to perform abnormally.
CVE-2022-48512: Use After Free (UAF) vulnerability in the Vdecoderservice service
Severity: High
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may cause the image decoding feature to perform abnormally.
CVE-2022-48513: Vulnerability of identity verification being bypassed in the Gallery module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may cause out-of-bounds access.
CVE-2022-48515: Vulnerability of inappropriate permission control in Nearby
Severity: Medium
Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2022-48516: Vulnerability that a unique value can be obtained by a third-party app in the DSoftBus module
Severity: Medium
Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability will affect confidentiality.
CVE-2022-48517: Unauthorized service access vulnerability in the DSoftBus module
Severity: Medium
Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability will affect availability.
CVE-2022-48518: Vulnerability of signature verification in the iaware system being initialized later than the time when the system broadcasts are sent
Severity: Medium
Affected versions: EMUI 12.0.1, EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may cause malicious apps to start upon power-on by spoofing the package names of apps in the startup trustlist, which affects system performance.
CVE-2022-48519: Unauthorized access vulnerability in the SystemUI module
Severity: Medium
Affected versions: EMUI 12.0.1, EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect confidentiality.
CVE-2022-48520: Unauthorized access vulnerability in the SystemUI module
Severity: Medium
Affected versions: EMUI 12.0.1, EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect confidentiality.
CVE-2023-1691: Vulnerability of failures to capture exceptions in the communication framework
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.
CVE-2023-1695: Vulnerability of failures to capture exceptions in the communication framework
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.
CVE-2023-34164: Vulnerability of incomplete input parameter verification in the communication framework module
Severity: Medium
Affected versions: EMUI 13.0.0
Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2023-3455: Key management vulnerability in the system
Severity: High
Affected versions: EMUI 13.0.0
Impact: Successful exploitation of this vulnerability may affect service availability and integrity.
CVE-2023-3456: Vulnerability of kernel raw address leakage in the hang detector module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-37238: Vulnerability of apps' permission to access a certain API being incompletely verified in the wireless projection module
Severity: Medium
Affected versions: EMUI 13.0.0
Impact: Successful exploitation of this vulnerability may affect some wireless projection features.
CVE-2023-37239: String formatting vulnerability in the distributed file system
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.1
Impact: Attackers who bypass the selinux permission can exploit this vulnerability to crash the program.
CVE-2023-37240: Vulnerability of input length not verified in the distributed file system
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.1
Impact: Successful exploitation of this vulnerability may cause out-of-bounds read.
CVE-2023-37241: Input verification vulnerability in the WMS API
Severity: Medium
Affected versions: EMUI 13.0.0
Impact: Successful exploitation of this vulnerability may cause the device to restart.
CVE-2023-37242: Vulnerability of commands from the modem being intercepted in the atcmdserver module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.0
Impact: Attackers may exploit this vulnerability to rewrite the non-volatile random-access memory (NVRAM), or facilitate the exploitation of other vulnerabilities.
Acknowledgment: Mateo De la Hoz, from Skidbladnir Security Labs
CVE-2023-37245: Buffer overflow vulnerability in the modem pinctrl module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect the integrity and availability of the modem.
- en