CVE-2022-22265
Published: 10 January 2022
Summary
CVE-2022-22265 is a medium-severity Improper Check or Handling of Exceptional Conditions (CWE-703) vulnerability in Google Android. Its CVSS base score is 5.0 (Medium).
Operationally, ranked at the 35.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-16 (Memory Protection).
Deeper analysis
The vulnerability is an improper check or handling of exceptional conditions, tracked as CWE-703, in the NPU driver prior to Samsung's SMR Jan-2022 Release 1. It permits arbitrary memory writes that can lead to code execution on affected devices. The issue carries a CVSS 3.1 base score of 5.0 reflecting local attack vector, high attack complexity, low privileges, and required user interaction.
A local attacker who already has a foothold on the device can trigger the flaw through crafted inputs to the NPU driver, achieving limited but scoped impacts on confidentiality, integrity, and availability. Exploitation requires user interaction and does not yield full system compromise under the published scoring.
Samsung's January 2022 security bulletin addresses the issue in the SMR Jan-2022 Release 1 update. The CVE is also listed in CISA's Known Exploited Vulnerabilities catalog, confirming real-world exploitation activity. The EPSS score rose from a low baseline to a recorded peak of 0.0104, indicating increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27412
Vulnerability details
An improper check or handling of exceptional conditions in NPU driver prior to SMR Jan-2022 Release 1 allows arbitrary memory write and code execution.
- CWE(s)
- KEV Date Added
- 18 September 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires proper error and exceptional-condition handling, which is the root cause (CWE-703) enabling the NPU driver's arbitrary memory write.
Enforces memory protection mechanisms that block the arbitrary memory writes and subsequent code execution the flawed driver permits.
Mandates timely flaw remediation, directly addressed by applying Samsung's SMR Jan-2022 patch that corrects the NPU driver vulnerability.