Cyber Resilience

CVE-2022-22265

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 10 January 2022

Published
10 January 2022
Modified
30 October 2025
KEV Added
18 September 2023
Patch
CVSS Score v3.1 5.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0015 35.7th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22265 is a medium-severity Improper Check or Handling of Exceptional Conditions (CWE-703) vulnerability in Google Android. Its CVSS base score is 5.0 (Medium).

Operationally, ranked at the 35.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-16 (Memory Protection).

Deeper analysis

The vulnerability is an improper check or handling of exceptional conditions, tracked as CWE-703, in the NPU driver prior to Samsung's SMR Jan-2022 Release 1. It permits arbitrary memory writes that can lead to code execution on affected devices. The issue carries a CVSS 3.1 base score of 5.0 reflecting local attack vector, high attack complexity, low privileges, and required user interaction.

A local attacker who already has a foothold on the device can trigger the flaw through crafted inputs to the NPU driver, achieving limited but scoped impacts on confidentiality, integrity, and availability. Exploitation requires user interaction and does not yield full system compromise under the published scoring.

Samsung's January 2022 security bulletin addresses the issue in the SMR Jan-2022 Release 1 update. The CVE is also listed in CISA's Known Exploited Vulnerabilities catalog, confirming real-world exploitation activity. The EPSS score rose from a low baseline to a recorded peak of 0.0104, indicating increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

An improper check or handling of exceptional conditions in NPU driver prior to SMR Jan-2022 Release 1 allows arbitrary memory write and code execution.

CWE(s)
KEV Date Added
18 September 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
10.0, 11.0, 12.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper error and exceptional-condition handling, which is the root cause (CWE-703) enabling the NPU driver's arbitrary memory write.

prevent

Enforces memory protection mechanisms that block the arbitrary memory writes and subsequent code execution the flawed driver permits.

prevent

Mandates timely flaw remediation, directly addressed by applying Samsung's SMR Jan-2022 patch that corrects the NPU driver vulnerability.

References