A new security vulnerability has been discovered in the Android operating system, specifically affecting Android versions 10, 11, 12, and 12L. The vulnerability, dubbed CVE-2022-20130, lies in the transportDec_OutOfBandConfig function found in the tpdec_lib.cpp file, and it allows for a potential out of bounds write due to a heap buffer overflow. This issue could ultimately lead to remote code execution, giving attackers the ability to execute arbitrary code on affected devices without any additional execution privileges or user interaction.

In this post, we'll take a closer look at the details of CVE-2022-20130, including the vulnerable code snippet, original references, and exploit possibilities. It is crucial for Android users and developers to be aware of this vulnerability to ensure proper mitigation and protection of their devices.

Vulnerable Code Snippet

The issue lies in the transportDec_OutOfBandConfig function in the tpdec_lib.cpp file. The following code snippet demonstrates the function:

void transportDec_OutOfBandConfig(TransportDec* dec,
                                  const uint8_t* configData,
                                  uint32_t configDataSize) {
  while (src < configEnd) {
    if (flag & x80) {
      uint8_t bitOffset;
      memcpy(&dec->output[bitOffset], &src[], dataLength);

The vulnerability arises from the use of the memcpy function which may cause a heap buffer overflow. The memcpy function is called with an unchecked 'bitOffset' value and an unchecked DataLength value obtained from the configData input buffer. This lack of input validation leaves the door open for potential exploitation.

Original References

The Android Security Bulletin [1] first mentioned the existence of CVE-2022-20130, disclosing a possible out of bounds write due to a heap buffer overflow, which could lead to remote code execution. The vulnerability was assigned Android ID A-224314979.

Exploit Details

To exploit this vulnerability, an attacker would need to craft a malicious payload containing a manipulated configData input buffer, specifically designed to cause a buffer overflow. When the transportDec_OutOfBandConfig function processes this input buffer, it could result in an out-of-bounds write due to the unsafe use of memcpy.

This out-of-bounds write can subsequently corrupt adjacent memory, providing an attacker with the opportunity to execute arbitrary code on the target device. Since no additional execution privileges are needed and no user interaction is required for exploitation, this vulnerability presents a significant risk for affected Android users.


Google has already addressed this vulnerability in their Android Security Updates [1]. Users and developers are encouraged to apply the latest security patches to protect themselves from potential exploitation.

It is also essential to practice safe browsing habits, avoiding suspicious links and downloading apps only from trusted sources like the Google Play Store.


CVE-2022-20130 is a critical vulnerability that affects multiple Android versions and could potentially allow attackers to execute arbitrary code on affected devices. This vulnerability highlights the importance of continually monitoring and staying informed about security issues affecting widely-used software like the Android operating system. By staying informed and applying security updates promptly, you can minimize the risk to your devices and personal data.


[1] Android Security Bulletin: https://source.android.com/security/bulletin


Published on: 06/15/2022 13:15:00 UTC
Last modified on: 06/23/2022 18:02:00 UTC