CVE-2022-48331

Vulnerability

An integer overflow vulnerability exists in the drm_save_keys function of the Widevine Trusted Application (TA) within Qualcomm's Secure Execution Environment (QSEE). The bug is triggered by a feature_name_len integer overflow, which leads to a subsequent buffer overflow. Affected versions include Widevine TA 5.0.0 through 5.1.1, as used in devices such as Google Nexus 6 [1].

Exploitation

An attacker in the Normal World (unprivileged user space) can trigger the vulnerability by sending a crafted command to the Widevine TA. No special privileges are required, as the TEE interface is accessible from the Normal World. The integer overflow in the feature_name_len parameter causes a buffer overflow during the drm_save_keys operation [1].

Impact

Successful exploitation could cause the Widevine TA to crash or potentially allow arbitrary code execution within the QSEE. This could lead to privilege escalation and disclosure of sensitive information, including DRM keys and other protected data [1].

Mitigation

As of the reference publication date (March 2023), users should update to the latest firmware provided by their device vendor. The vulnerability affects Nexus 6 devices running affected versions (5.0.0 through 5.1.1); updates may no longer be available as the device is end-of-life. No workaround is described in the available references [1].