CVE-2022-20126

CVSS v3.1

7.3

High

Vector

AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Android versions Android-10 through Android-12L

Description The issue is related to a missing permission check in the setScanMode function of AdapterService.java, which could allow enabling Bluetooth discovery mode without user interaction. This might lead to local escalation of privilege, requiring User execution privileges for exploitation. User interaction is necessary for this issue to be exploited.

Recommendations For Android versions Android-10 through Android-12L, consider restricting access to the setScanMode function in AdapterService.java until a patch is available. As a temporary workaround, disabling Bluetooth discovery mode by default could minimize the risk of exploitation.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

ASB-A-203431023

CVE-2022-20126

Affected Products

Android

CVE-2022-20126

Weakness Enumeration

Related Identifiers

Affected Products

References · 9