CVE-2022-48336

Vulnerability

CVE-2022-48336 is an integer overflow in the PRDiagParseAndStoreData function (at offset 0x5cc8) within the Widevine Trusted Application (TA) that runs in Qualcomm's Secure Execution Environment (QSEE) [1]. Affected versions are Widevine TA 5.0.0 through 7.1.1, as present on devices such as the Google Nexus 6 [1]. The vulnerability is triggered when a crafted command is sent from the Normal World to the TA, causing an integer overflow that results in a subsequent buffer overflow [1].

Exploitation

An attacker with the ability to send commands from the Normal World (unprivileged Android application context) can exploit the integer overflow by providing specially crafted input to the PRDiagParseAndStoreData handler [1]. No additional authentication is required beyond the ability to invoke the TA command; the attacker must be able to interact with the Widevine TA via the QSEE interface [1]. The overflow occurs during parsing and storage of diagnostic data, leading to a heap-based buffer overflow [1].

Impact

Successful exploitation could cause the Trusted Application to crash and may allow arbitrary code execution within the QSEE environment [1]. This would give the attacker elevated privileges (TrustZone context) and could expose sensitive information, including DRM keys and other protected content [1]. The integrity and confidentiality of the trusted execution environment are compromised [1].

Mitigation

The vulnerability affects Widevine TA versions 5.0.0 through 7.1.1 [1]. As of the publication date (June 26, 2023), Google had not released a public patch for the Nexus 6, which is an end-of-life device [1]. Users should consider upgrading to a supported device that receives security updates. No workaround is available [1].