CVE-2022-48332

Vulnerability

The vulnerability resides in the Widevine Trusted Application (TA) version 5.0.0 through 5.1.1, which runs within Qualcomm's Secure Execution Environment (QSEE). The function drm_save_keys contains an integer overflow in the file_name_len parameter, resulting in a buffer overflow. Affected builds for the Nexus 6 include LRX21O, LRX22C, LMY47D, LMY47E, LMY47I, LMY47M, LMY47Z, LMY48I, LMY48M, and later 5.1.1 variants [1].

Exploitation

An attacker in the Normal World can send a crafted command to the TA via the QSEE client interface. By supplying a malicious file_name_len value that triggers an integer overflow, the subsequent buffer overflow corrupts memory within the Trusted Application. No authentication is required beyond the ability to communicate with the TA [1].

Impact

Successful exploitation can cause the TA to crash or potentially execute arbitrary code within the TrustZone. This allows privilege escalation from the Normal World to the TEE, leading to disclosure of sensitive information such as DRM keys and other protected content [1].

Mitigation

Google has not released a patch for this vulnerability; the affected Nexus 6 device is end-of-life and no longer receives security updates. Users should migrate to a supported device. No workaround exists. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].