VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 26, 2023· Updated Dec 4, 2024

CVE-2022-48335

CVE-2022-48335

Description

Integer overflow in Widevine TA 5.0.0-7.1.1 leads to buffer overflow, enabling privilege escalation or arbitrary code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in Widevine TA 5.0.0-7.1.1 leads to buffer overflow, enabling privilege escalation or arbitrary code execution.

Vulnerability

An integer overflow vulnerability exists in the PRDiagVerifyProvisioning function of the Widevine Trusted Application (TA) versions 5.0.0 through 7.1.1, which runs within Qualcomm's Secure Execution Environment (QSEE). The overflow leads to a subsequent buffer overflow when processing a crafted command from the Normal World [1].

Exploitation

An attacker in the Normal World can send a specially crafted command to the Widevine TA, triggering the integer overflow and then a buffer overflow. No authentication or special privileges are required beyond the ability to interact with the TA from the non-secure side [1].

Impact

Successful exploitation allows the attacker to cause the TA to crash or potentially execute arbitrary code within the secure environment, leading to disclosure of sensitive DRM keys or other protected content, and possible privilege escalation [1].

Mitigation

As of the available reference, no official patch or fixed version has been released. Users should monitor for updates from device vendors and Google. The vulnerable Widevine TA versions 5.0.0 through 7.1.1 are affected; upgrading to a patched version if available is recommended [1].

References
  1. Hardware and Software Security Assessments

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Widevine/Widevine Trusted Application (TA)description
  • WideVine/WideVine DRMllm-fuzzy
    Range: 5.0.0 through 7.1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.