CVE-2022-48334

Vulnerability

An integer overflow exists in the drm_verify_keys function (at offset 0x7370) of the Widevine Trusted Application (TA) running in Qualcomm's Secure Execution Environment (QSEE), versions 5.0.0 through 5.1.1 (specific builds: LRX21O, LRX22C, LMY47D, LMY47E, LMY47I, LMY47M, LMY47Z, LMY48I, LMY48M, and later 5.1.x). The overflow occurs when computing total_len + file_name_len, leading to a subsequent buffer overflow. The vulnerability was identified via fuzzing and debugging tools developed by the researchers [1].

Exploitation

An attacker with access to the Normal World (e.g., a malicious app or compromised user space) can send a crafted command to the Widevine TA, triggering the integer overflow and buffer overflow. No special authentication is required beyond the ability to invoke Widevine commands from the Normal World. The attack sequence involves sending a modified request to the TA's drm_verify_keys function with manipulated lengths, causing memory corruption [1].

Impact

Successful exploitation can cause the TA to crash or potentially execute arbitrary code within the TrustZone. This could lead to privilege escalation from the Normal World to the TEE, enabling the attacker to access sensitive information protected by Widevine DRM, such as decryption keys and content [1].

Mitigation

As of the publication date, no official fix version has been disclosed. Users are advised to apply any security updates provided by device vendors (e.g., Google, Qualcomm) when available. The affected devices include Google Nexus 6 and potentially other devices using the same Widevine TA versions. No workarounds are known; updating to a patched version of Widevine is the only mitigation [1].