CVE-2022-48333

Vulnerability

The Widevine Trusted Application (TA) in Qualcomm's Secure Execution Environment (QSEE), versions 5.0.0 through 5.1.1, has an integer overflow in the drm_verify_keys function (offset 0x730c). The overflow occurs when computing prefix_len + feature_name_len, leading to insufficient buffer allocation and a subsequent heap-based buffer overflow. The vulnerability is reachable by sending a crafted command from the Normal World to the TA. Affected builds include Nexus 6 firmware versions LRX21O through LMY48M [1].

Exploitation

An attacker with the ability to communicate with the Widevine TA from the Normal World (e.g., via the QSEE driver from userspace, requiring no prior Android privilege) can trigger this bug. The attacker sends a malicious drm_verify_keys command with specially crafted prefix_len and feature_name_len values causing the integer overflow. The sequence does not require user interaction or physical access, only local execution as an unprivileged Android process [1].

Impact

Successful exploitation results in a buffer overflow in the secure world (QSEE), potentially allowing arbitrary code execution within the Widevine TA. This can lead to full compromise of the DRM-protected content flow, elevation of attacker privileges to the TEE level, and disclosure or manipulation of sensitive key material. The attacker gains the ability to dump cryptographic keys and execute arbitrary code at the TrustZone secure level [1].

Mitigation

Google addressed this vulnerability in the Android security bulletin. Users should apply the latest OTA updates for Nexus 6 devices (patched in firmware builds beyond LMY48M). No interim workaround is available, as the fix requires updating the Widevine TA image. The affected firmware versions are now end-of-life, but the vendor has released the patch. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].