CVE-2022-33719 – Improper input validation in baseband prior to SMR Aug-2022 Release 1 (5th Aug 2022)

Preface: Samsung Galaxy S22 series national version uses Qualcomm Snapdragon 8, European version uses Exynos 2200. European users will cheer as Samsung Galaxy S23 ditches Exynos chip.

Background: Android 12 is the twelfth major release and 19th version of Android, the mobile operating system developed by the Open Handset Alliance led by Google.
Android Q is Android 10.
Android R is Android 11
Android S is Android 12

Baseband Initialization: pal_init(). .Subsequently monolith function that starts all modem subsystems and tasks
○ Activates malloc heap
○ Loads NV items
○ Starts timers
○ Initializes DSP(s) and other peripherals
○ Starts all tasks

Vulnerability details: Improper input validation in baseband prior to SMR Aug-2022 Release 1 allows attackers to cause integer overflow to heap overflow.The patch adds proper validation logic to prevent integer overflow.
The weakness was presented 08/05/2022. The advisory is available at This vulnerability is handled as CVE-2022-33719 since 06/15/2022. The technical details are unknown and an exploit is not available.

Details about a summary of my observations. Please refer to the diagram

Severity: Critical
Affected versions: Selected Q(10), R(11), S(12) devices with S.LSI CP chipsets
Reported on: February 26, 2022

Official details: Please refer to the link for details –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.