Android 12L Security Release Notes

Published February 22, 2022 | Updated September 8, 2022

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 12L. Android 12L devices with a security patch level of 2022-03-01 or later are protected against these issues (Android 12L, as released on AOSP, will have a default security patch level of 2022-03-01). To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 12L release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

Announcements

  • The issues described in this document are addressed as part of Android 12L. This information is provided for reference and transparency.
  • We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

Android and Google service mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

Android 12L vulnerability details

The sections below provide details for security vulnerabilities fixed as part of Android 12L. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

Framework

CVE References Type Severity
CVE-2021-39749 A-205996115 EoP High
CVE-2021-39743 A-201534884 EoP Moderate
CVE-2021-39746 A-194696395 EoP Moderate
CVE-2021-39750 A-206474016 EoP Moderate
CVE-2021-39752 A-202756848 EoP Moderate
CVE-2022-20002 A-198657657 EoP Moderate
CVE-2022-20203 A-199745908 EoP Moderate
CVE-2021-39744 A-192369136 ID Moderate
CVE-2021-39745 A-206127671 ID Moderate
CVE-2021-39747 A-208268457 ID Moderate
CVE-2021-39748 A-203777141 ID Moderate
CVE-2021-39751 A-172838801 ID Moderate
CVE-2021-39753 A-200035185 ID Moderate
CVE-2021-39755 A-204995407 ID Moderate
CVE-2021-39756 A-184354287 ID Moderate
CVE-2021-39757 A-176094662 ID Moderate
CVE-2021-39754 A-207133709 Unknown Unknown

Media Framework

CVE References Type Severity
CVE-2021-39759 A-180200830 EoP Moderate
CVE-2021-39760 A-194110526 ID Moderate
CVE-2021-39761 A-179783181 ID Moderate
CVE-2021-39762 A-210625816 ID Moderate

Platform

CVE References Type Severity
CVE-2021-39741 A-173567719 EoP Moderate
CVE-2021-39763 A-199176115 EoP Moderate
CVE-2021-39764 A-170642995 EoP Moderate
CVE-2021-39767 A-201308542 EoP Moderate
CVE-2021-39768 A-202017876 EoP Moderate
CVE-2021-39771 A-198661951 EoP Moderate
CVE-2021-25393 A-180518134 ID Moderate
CVE-2021-39739 A-184525194 ID Moderate
CVE-2021-39740 A-209965112 ID Moderate
CVE-2021-39742 A-186405602 ID Moderate
CVE-2021-39765 A-201535427 ID Moderate
CVE-2021-39766 A-198296421 ID Moderate
CVE-2021-39769 A-193663287 ID Moderate
CVE-2021-39770 A-193033501 ID Moderate

System

CVE References Type Severity
CVE-2021-39776 A-192614125 EoP High
CVE-2021-39787 A-202506934 EoP High
CVE-2021-39772 A-181962322 EoP Moderate
CVE-2021-39780 A-204992293 EoP Moderate
CVE-2021-39781 A-195311502 EoP Moderate
CVE-2021-39782 A-202760015 EoP Moderate
CVE-2021-39783 A-197960597 EoP Moderate
CVE-2021-39784 A-200163477 EoP Moderate
CVE-2021-39786 A-192551247 EoP Moderate
CVE-2021-39789 A-203880906 EoP Moderate
CVE-2021-39790 A-186405146 EoP Moderate
CVE-2021-39773 A-191276656 ID Moderate
CVE-2021-39775 A-206465854 ID Moderate
CVE-2021-39777 A-194743207 ID Moderate
CVE-2021-39778 A-196406138 ID Moderate
CVE-2021-39779 A-190400974 ID Moderate
CVE-2021-39788 A-191768014 ID Moderate
CVE-2021-39791 A-194112606 ID Moderate
CVE-2021-39774 A-205989472 DoS Moderate

Additional Vulnerability details

The section below provides details for security vulnerabilities that are being provided for disclosure purposes. These issues are not required for SPL compliance.

Android TV

CVE References Type Severity
CVE-2021-1000 A-185190688 EoP Moderate
CVE-2021-1033 A-185247656 EoP Moderate

Common questions and answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

To learn how to check a device's security patch level, see Check and update your Android version.

Android 12L, as released on AOSP, has a default security patch level of 2022-03-01. Android devices running Android 12L and with a security patch level of 2022-03-01 or later address all issues contained in these security release notes.

2. What do the entries in the Type column mean?

Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.

Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available

3. What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

Prefix Reference
A- Android bug ID

Versions

Version Date Notes
1.0 February 22, 2022 Security Release Notes Published
1.1 May 27, 2022 Updated Issue List
1.2 September 8, 2022 Updated Issue List