CVE-2022-20412 in Android
Summary
by MITRE • 10/12/2022
In fdt_next_tag of fdt.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-230794395
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/13/2026
The vulnerability identified as CVE-2022-20412 resides within the flattened device tree (FDT) parsing functionality of Android systems, specifically in the fdt_next_tag function located in fdt.c. This flaw represents a critical out-of-bounds read condition that occurs due to an insufficient bounds check implementation. The device tree is a data structure used by the Linux kernel to describe hardware components and their configuration, making it fundamental to system initialization and hardware abstraction. When processing device tree blobs, the system must carefully validate memory boundaries to prevent unauthorized access to adjacent memory regions.
The technical implementation flaw stems from improper boundary validation within the fdt_next_tag function where the code fails to adequately verify that subsequent memory accesses remain within the allocated device tree buffer boundaries. This incorrect bounds checking allows an attacker to craft malicious device tree data that, when processed by the vulnerable function, can cause the system to read memory locations beyond the intended buffer limits. The vulnerability specifically affects Android versions 10 through 13, indicating it has been present across multiple major releases and represents a long-standing issue in the system's device tree processing logic.
The operational impact of this vulnerability is severe, as it enables local privilege escalation with system execution privileges required for exploitation. While user interaction is not necessary for exploitation, the requirement for system execution privileges means that an attacker must already have some level of access to the device to leverage this vulnerability. However, once exploited, the out-of-bounds read could potentially be leveraged to extract sensitive kernel memory information, potentially leading to further exploitation techniques such as information disclosure or even arbitrary code execution. This vulnerability aligns with CWE-129, which describes improper validation of array indices, and represents a classic example of how insufficient bounds checking can lead to memory corruption vulnerabilities. The ATT&CK framework categorizes this as a privilege escalation technique under T1068, where an attacker exploits a system vulnerability to gain elevated privileges.
The mitigation strategies for this vulnerability primarily involve applying the relevant security patches provided by Google and device manufacturers, which typically include correcting the bounds checking logic in the fdt_next_tag function to properly validate memory access boundaries. Additionally, system administrators should ensure that device tree blobs are properly validated and sanitized before processing, implementing stricter input validation mechanisms. The vulnerability also highlights the importance of comprehensive code review processes for kernel-level components and the need for robust memory safety checks in critical system functions. Regular security updates and proper device tree validation procedures should be implemented to prevent similar issues from occurring in future versions. Organizations should also consider implementing monitoring solutions to detect anomalous device tree processing patterns that might indicate exploitation attempts.