Cyber Resilience

CVE-2022-20473

Critical

Published: 13 December 2022

Published
13 December 2022
Modified
22 April 2025
KEV Added
Patch
01 December 2022
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5088 97.9th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-20473 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-20473 is an out-of-bounds read vulnerability in the toLanguageTag function of LocaleListCache.cpp, caused by an incorrect bounds check. The flaw affects Android versions 10 through 13 and carries the Android ID A-239267173. It is assigned CWE-125 and rated 9.8 on CVSS 3.1, reflecting a network-accessible flaw that can result in remote code execution without additional privileges or user interaction.

An attacker can trigger the flaw over the network to read memory beyond intended bounds, enabling remote code execution on an unpatched device. No user interaction or elevated privileges are required for successful exploitation.

The December 2022 Android security bulletin addresses the issue through patches that correct the bounds check in the affected LocaleListCache component. Devices running the listed Android versions should be updated to the versions containing the fix.

The EPSS score reached a peak of 0.5680 with a current value of 0.5088, indicating sustained moderate exploitation interest after disclosure.

EU & UK References

Vulnerability details

In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10…

more

Android-11 Android-12 Android-12L Android-13Android ID: A-239267173

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
10.0, 11.0, 12.0, 12.1, 13.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References