Login Sign Up

CVE-2022-48355

6.5 MEDIUM
Denial of Service

📋 TL;DR

This CVE describes a heap out-of-bounds read vulnerability in Huawei Bluetooth modules. Successful exploitation can cause the Bluetooth process to crash, potentially disrupting Bluetooth functionality on affected devices. This affects Huawei devices running HarmonyOS with vulnerable Bluetooth firmware.

💻 Affected Systems

Products:
  • Huawei smartphones
  • Huawei tablets
  • Huawei wearables with Bluetooth
Versions: HarmonyOS versions prior to security updates released in March 2023
Operating Systems: HarmonyOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with vulnerable Bluetooth firmware; requires Bluetooth to be enabled.

📦 What is this software?

Emui by Huawei

View all CVEs affecting Emui →

Emui by Huawei

View all CVEs affecting Emui →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing Bluetooth functionality to become unavailable, potentially requiring device restart to restore functionality.

🟠

Likely Case

Bluetooth process crash leading to temporary loss of Bluetooth connectivity until process restarts.

🟢

If Mitigated

Minimal impact with proper patching; Bluetooth functionality remains stable.

🌐 Internet-Facing: LOW - Bluetooth is short-range wireless technology not directly internet-facing.
🏢 Internal Only: MEDIUM - Requires proximity to exploit via Bluetooth, but could affect internal device connectivity.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires proximity to target device via Bluetooth and specific malformed packets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS security updates released March 2023

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2023/3/

Restart Required: Yes

Instructions:

1. Check for system updates in device Settings. 2. Install available security updates. 3. Restart device after installation.

🔧 Temporary Workarounds

Disable Bluetooth

all

Temporarily disable Bluetooth to prevent exploitation

Enable Airplane Mode

all

Disable all wireless communications including Bluetooth

🧯 If You Can't Patch

  • Disable Bluetooth when not in use
  • Limit Bluetooth visibility to trusted devices only

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version. If version predates March 2023 security updates, device may be vulnerable.

Check Version:

Settings > About phone > HarmonyOS version

Verify Fix Applied:

Verify HarmonyOS version includes March 2023 security updates in Settings > About phone > HarmonyOS version.

📡 Detection & Monitoring

Log Indicators:

  • Bluetooth service crashes
  • Bluetooth process termination logs
  • Bluetooth connectivity failures

Network Indicators:

  • Unusual Bluetooth connection attempts
  • Malformed Bluetooth packets

SIEM Query:

Not applicable - local device vulnerability

📊 Metadata

CVE ID: CVE-2022-48355
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: March 27, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-48355, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)