CVE-2022-20472
Published: 13 December 2022
Summary
CVE-2022-20472 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-20472 is an out-of-bounds read vulnerability in the toLanguageTag function of LocaleListCache.cpp, caused by an incorrect bounds check. The flaw affects multiple versions of Android, specifically Android-10 through Android-13, and carries the internal identifier A-239210579. It is tracked under CWE-125 and received a CVSS 3.1 base score of 9.8.
An attacker can exploit the issue over the network without authentication or user interaction to read memory beyond intended bounds, which may enable remote code execution with no additional privileges required. The vulnerability resides in a core system component, allowing potential compromise of affected devices simply by supplying malicious input that triggers the faulty locale handling path.
The December 2022 Android security bulletin addresses the issue through platform updates that correct the bounds check in LocaleListCache.cpp. Devices running the listed Android versions should be updated to the patched releases distributed by Google and device manufacturers.
EPSS for this CVE rose from a low baseline to a peak of 0.4485 on 2025-12-11 before receding to the current value of 0.0454, indicating a clear post-disclosure increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-25732
Vulnerability details
In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10…
more
Android-11 Android-12 Android-12L Android-13Android ID: A-239210579
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.