CVE-2022-20499 in Android
Summary
by MITRE • 03/24/2023
In validateForCommonR1andR2 of PasspointConfiguration.java, uncaught errors in parsing stored configs could lead to local persistent denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-246539931
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/18/2026
The vulnerability identified as CVE-2022-20499 represents a critical local persistent denial of service flaw within the Android Passpoint configuration handling mechanism. This issue resides in the validateForCommonR1andR2 method of the PasspointConfiguration.java file, which is responsible for validating wireless network configurations. The vulnerability stems from inadequate error handling during the parsing of stored configuration data, creating a scenario where malformed or unexpected input can cause the system to crash or become unresponsive. The flaw affects Android versions 12, 12L, and 13, making it a widespread concern across the latest mobile platform releases.
The technical nature of this vulnerability aligns with CWE-703, which addresses the improper handling of exceptional conditions, and specifically demonstrates how uncaught exceptions can lead to system instability. When the Passpoint configuration parser encounters malformed data during validation, it fails to properly handle the error conditions, resulting in the termination of the configuration validation process. This failure creates a persistent state where the affected system cannot properly process wireless network configurations, effectively disabling the Passpoint functionality for the device. The vulnerability's exploitation requires no additional privileges beyond normal user access, making it particularly concerning as it can be triggered by any local user without requiring administrative rights or special permissions.
The operational impact of this vulnerability extends beyond simple service disruption, as it fundamentally compromises the wireless connectivity capabilities of affected Android devices. Passpoint configurations are critical for seamless network roaming and automatic connection to trusted networks, particularly in enterprise and public WiFi environments. When this functionality becomes disabled due to the denial of service condition, users experience complete loss of automatic network switching capabilities, forcing them to manually reconnect to networks and potentially disrupting business operations or personal productivity. The persistent nature of the vulnerability means that once triggered, the device remains compromised until manually repaired or the affected configuration data is removed, creating an ongoing security risk.
From a security perspective, this vulnerability demonstrates a classic example of how input validation failures can lead to system instability and service disruption. The ATT&CK framework categorizes this as a system service denial of service attack, where the adversary leverages a flaw in system components to create persistent unavailability of services. The vulnerability's location within the Passpoint configuration handling code suggests that attackers could potentially exploit this through various means, including manipulating stored network profiles or injecting malformed configuration data into the system. Organizations should implement immediate mitigations including system updates, configuration hardening, and monitoring for anomalous network behavior that might indicate exploitation attempts. The vulnerability also highlights the importance of robust error handling in security-critical components and the need for comprehensive testing of edge cases in configuration parsing routines.