CVE-2022-20233

Name of the Vulnerable Software and Affected Versions Android kernel

Description The issue is related to a possible out of bounds write due to an incorrect bounds check in the param find digests internal and related functions of the Titan-M source. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. The error is associated with a buffer overflow that appeared due to incorrect boundary checking. Researchers were able to write an exploit that allowed them to read arbitrary memory on the chip and obtain any key protected by StrongBox, thereby bypassing the highest level of protection of the Keystore on Android.

Recommendations To resolve the issue, update the Android kernel to a version that includes the security fix released in June 2022. As a temporary workaround, consider restricting access to the Titan-M source until a patch is available. Avoid using the vulnerable functions until the issue is resolved. At the moment, there is no additional information about other mitigation measures.