Login Sign Up

CVE-2022-20118

7.0 HIGH

📋 TL;DR

This CVE describes a use-after-free vulnerability in Android's ION memory management subsystem due to a race condition in ion_ioctl and related functions. It allows local attackers to escalate privileges without requiring user interaction or additional execution privileges. Affected systems include Android devices running vulnerable kernel versions.

💻 Affected Systems

Products:
  • Android
Versions: Android kernel versions before May 2022 security patches
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects the ION memory management subsystem in the Android kernel. Pixel devices and other Android devices using affected kernel versions are vulnerable.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing complete control over the device, data theft, and persistence mechanisms.

🟠

Likely Case

Local privilege escalation from a limited user or app context to kernel-level privileges, enabling further system exploitation.

🟢

If Mitigated

Limited impact if proper kernel hardening, SELinux policies, and least privilege principles are enforced.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device.
🏢 Internal Only: HIGH - Malicious apps or users with local access can exploit this to gain elevated privileges on affected Android devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and knowledge of race condition timing. No public exploit code is documented, but the vulnerability is well-understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level May 2022 or later

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2022-05-01

Restart Required: Yes

Instructions:

1. Apply the May 2022 Android security patch. 2. Update Android kernel to version containing fix for A-205707793. 3. Reboot device to load patched kernel.

🔧 Temporary Workarounds

Disable vulnerable ION functionality

linux

Disable or restrict ION memory management subsystem if not required

echo 0 > /sys/kernel/debug/ion/enable

🧯 If You Can't Patch

  • Implement strict SELinux policies to limit privilege escalation paths
  • Restrict physical and network access to vulnerable devices

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level: Settings > About phone > Android security patch level. If before May 2022, likely vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level is May 2022 or later and kernel version includes fix for A-205707793.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • ION subsystem error messages
  • Unexpected privilege escalation attempts

Network Indicators:

  • None - local exploitation only

SIEM Query:

source="android_kernel" AND ("ion_ioctl" OR "use-after-free" OR "A-205707793")

📊 Metadata

CVE ID: CVE-2022-20118
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-362
Published: May 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-20118, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)