Pixel Update Bulletin—December2022

Published December 5, 2022 | Updated December 22, 2022

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices (Google devices). For Google devices, security patch levels of 2022-12-05 or later address all issues in this bulletin and all issues in the December 2022 Android Security Bulletin. To learn how to check a device's security patch level, see Check and update your Android version.

All supported Google devices will receive an update to the 2022-12-05 patch level. We encourage all customers to accept these updates to their devices.

Announcements

  • In addition to the security vulnerabilities described in the December 2022 Android Security Bulletin, Google devices also contain patches for the security vulnerabilities described below.

Security patches

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

Framework

CVE References Type Severity Updated AOSP versions
CVE-2022-20504 A-225878553 EoP Moderate 13
CVE-2022-20512 A-238602879 EoP Moderate 13
CVE-2022-20514 A-245727875 EoP Moderate 13
CVE-2022-20524 A-228523213 EoP Moderate 13
CVE-2022-20553 A-244155265 EoP Moderate 13
CVE-2022-20554 A-245770596 EoP Moderate 13
CVE-2022-20510 A-235822336 ID Moderate 13
CVE-2022-20511 A-235821829 ID Moderate 13
CVE-2022-20513 A-244569759 ID Moderate 13
CVE-2022-20523 A-228222508 ID Moderate 13
CVE-2022-20530 A-231585645 ID Moderate 13
CVE-2022-20538 A-235601770 ID Moderate 13
CVE-2022-20559 A-219739967 ID Moderate 13
CVE-2022-20543 A-238178261 [2] [3] DoS Moderate 13
CVE-2022-20526 A-229742774 EoP Low 13

Media Framework

CVE References Type Severity Updated AOSP versions
CVE-2022-20548 A-240919398 EoP Moderate 13
CVE-2022-20528 A-230172711 ID Moderate 13

System

CVE References Type Severity Updated AOSP versions
CVE-2022-42544 A-224545390 EoP Moderate 13
CVE-2022-20503 A-224772890 EoP Moderate 13
CVE-2022-20505 A-225981754 EoP Moderate 13
CVE-2022-20506 A-226133034 EoP Moderate 13
CVE-2022-20507 A-246649179 EoP Moderate 13
CVE-2022-20508 A-218679614 EoP Moderate 13
CVE-2022-20509 A-244713317 EoP Moderate 13
CVE-2022-20519 A-224772678 EoP Moderate 13
CVE-2022-20520 A-227203202 EoP Moderate 13
CVE-2022-20522 A-227470877 EoP Moderate 13
CVE-2022-20525 A-229742768 EoP Moderate 13
CVE-2022-20529 A-231583603 EoP Moderate 13
CVE-2022-20533 A-232798363 EoP Moderate 13
CVE-2022-20536 A-235100180 EoP Moderate 13
CVE-2022-20537 A-235601169 EoP Moderate 13
CVE-2022-20539 A-237291425 EoP Moderate 13
CVE-2022-20540 A-237291506 EoP Moderate 13
CVE-2022-20544 A-238745070 EoP Moderate 13
CVE-2022-20546 A-240266798 EoP Moderate 13
CVE-2022-20547 A-240301753 EoP Moderate 13
CVE-2022-20549 A-242702451 EoP Moderate 13
CVE-2022-20550 A-242845514 EoP Moderate 13
CVE-2022-20556 A-246301667 EoP Moderate 13
CVE-2022-20557 A-247092734 EoP Moderate 13
CVE-2022-20558 A-236264289 EoP Moderate 13
CVE-2022-42542 A-231445184 EoP Moderate 13
CVE-2022-20199 A-199291025 [2] ID Moderate 13
CVE-2022-20515 A-220733496 ID Moderate 13
CVE-2022-20516 A-224002331 ID Moderate 13
CVE-2022-20517 A-224769956 ID Moderate 13
CVE-2022-20518 A-224770203 ID Moderate 13
CVE-2022-20527 A-229994861 ID Moderate 13
CVE-2022-20535 A-233605242 ID Moderate 13
CVE-2022-20541 A-238083126 ID Moderate 13
CVE-2022-20552 A-243922806 ID Moderate 13
CVE-2022-20555 A-246194233 ID Moderate 13
CVE-2022-42535 A-224770183 ID Moderate 13
CVE-2022-20521 A-227203684 DoS Moderate 13
CVE-2022-20545 A-239368697 DoS Moderate 13

Kernel components

In addition to the platform fixes described above, Pixel also ingested the upstream kernel security fixes associated with snapping to LTS version 5.10.107.

More information is available at the Android Common Kernels page.

CVE References Type Severity Subcomponent
CVE-2022-0500 A-228560539
Upstream kernel
EoP Moderate Kernel
CVE-2022-1116 A-234020136
Upstream kernel
EoP Moderate Kernel
CVE-2022-1419 A-235540888
Upstream kernel
EoP Moderate Kernel
CVE-2020-0465 A-160818461
Upstream kernel
EoP Moderate Kernel
CVE-2022-20566 A-165329981
Upstream kernel [2]
EoP Moderate Bluetooth L2CAP
CVE-2022-20567 A-186777253
Upstream kernel
EoP Moderate Kernel
CVE-2022-20568 A-220738351
Upstream kernel
EoP Moderate io_uring
CVE-2022-20571 A-234030265
Upstream kernel
EoP Moderate dm-verity
CVE-2022-20572 A-234475629
Upstream kernel [2]
EoP Moderate dm-verity
CVE-2022-28390 A-228694391
Upstream kernel
EoP Moderate Kernel
CVE-2022-30594 A-233438137
Upstream kernel [2] [3]
EoP Moderate Kernel
CVE-2022-34494 A-238479990
Upstream kernel
EoP Moderate Kernel
CVE-2022-34495 A-238480163
Upstream kernel
EoP Moderate Kernel
CVE-2022-1852 A-235183128
Upstream kernel [2]
ID Moderate Kernel

Pixel

CVE References Type Severity Subcomponent
CVE-2022-20582 A-233645166 * EoP Critical LDFW
CVE-2022-20583 A-234859169 * EoP Critical LDFW
CVE-2022-20584 A-238366009 * EoP Critical TF-A
CVE-2022-20585 A-238716781 * EoP Critical LDFW
CVE-2022-20586 A-238718854 * EoP Critical LDFW
CVE-2022-20587 A-238720411 * EoP Critical LDFW
CVE-2022-20588 A-238785915 * EoP Critical LDFW
CVE-2022-20597 A-243480506 * EoP Critical LDFW
CVE-2022-20598 A-242357514 * EoP Critical LDFW
CVE-2022-20599 A-242332706 * EoP Critical Pixel firmware
CVE-2022-42534 A-237838301 * EoP Critical TF-A
CVE-2022-42543 A-249998113 * ID Critical libfdt
CVE-2022-20589 A-238841928 * ID Critical LDFW
CVE-2022-20590 A-238932493 * ID Critical LDFW
CVE-2022-20591 A-238939706 * ID Critical LDFW
CVE-2022-20592 A-238976908 * ID Critical LDFW
CVE-2022-20603 A-219265339 * RCE High Modem
CVE-2022-20607 A-238914868 * RCE High Cellular Firmware
CVE-2022-20610 A-240462530 * RCE High Pixel cellular modem
CVE-2022-20561 A-222162870 * EoP High Audio
CVE-2022-20564 A-243798789 * EoP High libufdt
CVE-2022-42531 A-231500967 * EoP High TF-A
CVE-2022-20562 A-231630423 * ID High Audio processor
CVE-2022-20574 A-237582191 * ID High LDFW
CVE-2022-20575 A-237585040 * ID High LDFW
CVE-2022-20602 A-211081867 * ID High Modem
CVE-2022-20604 A-230463606 * ID High Exynos Firmware
CVE-2022-20608 A-239239246 * ID High Cellular firmware
CVE-2022-42529 A-235292841 * ID High Kernel
CVE-2022-42530 A-242331893 * ID High Pixel firmware
CVE-2022-42532 A-242332610 * ID High Pixel firmware
CVE-2022-20563 A-242067561 * EoP Moderate Bootloader
CVE-2022-20569 A-229258234 * EoP Moderate Pixel Thermal Control Driver
CVE-2022-20576 A-239701761 * EoP Moderate Telephony
CVE-2022-20577 A-241762281 * EoP Moderate sitril
CVE-2022-20578 A-243509749 * EoP Moderate rild_exynos
CVE-2022-20579 A-243510139 * EoP Moderate rild_exynos
CVE-2022-20580 A-243629453 * EoP Moderate libufdt
CVE-2022-20581 A-245916120 * EoP Moderate Pixel camera driver
CVE-2022-20594 A-239567689 * EoP Moderate Wireless Charger
CVE-2022-20596 A-239700400 * EoP Moderate Wireless Charger
CVE-2022-20600 A-239847859 * EoP Moderate LWIS
CVE-2022-42501 A-241231403 * EoP Moderate rild_exynos
CVE-2022-42502 A-241231970 * EoP Moderate rild_exynos
CVE-2022-42503 A-241231983 * EoP Moderate rild_exynos
CVE-2022-42504 A-241232209 * EoP Moderate rild_exynos
CVE-2022-42505 A-241232492 * EoP Moderate rild_exynos
CVE-2022-42506 A-241388399 * EoP Moderate rild_exynos
CVE-2022-42507 A-241388774 * EoP Moderate rild_exynos
CVE-2022-42508 A-241388966 * EoP Moderate rild_exynos
CVE-2022-42509 A-241544307 * EoP Moderate rild_exynos
CVE-2022-42510 A-241762656 * EoP Moderate rild_exynos
CVE-2022-42511 A-241762712 * EoP Moderate rild_exynos
CVE-2022-42513 A-241763204 * EoP Moderate rild_exynos
CVE-2022-42518 A-242536278 * EoP Moderate rild_exynos
CVE-2022-42519 A-242540694 * EoP Moderate rild_exynos
CVE-2022-42520 A-242994270 * EoP Moderate rild_exynos
CVE-2022-42521 A-243130019 * EoP Moderate rild_exynos
CVE-2022-42523 A-243376893 * EoP Moderate rild_exynos
CVE-2022-42525 A-243509750 * EoP Moderate rild_exynos
CVE-2022-42526 A-243509880 * EoP Moderate rild_exynos
CVE-2022-20560 A-212623833 * ID Moderate Kernel
CVE-2022-20570 A-230660904 * ID Moderate Modem
CVE-2022-20593 A-239415809 * ID Moderate gralloc
CVE-2022-20595 A-239700137 * ID Moderate Wireless Charger
CVE-2022-20601 A-204541506 * ID Moderate Modem
CVE-2022-20605 A-231722405 * ID Moderate Modem
CVE-2022-20606 A-233230674 * ID Moderate Modem
CVE-2022-20609 A-239240808 * ID Moderate Cellular firmware
CVE-2022-42512 A-241763050 * ID Moderate rild_exynos
CVE-2022-42514 A-241763298 * ID Moderate rild_exynos
CVE-2022-42515 A-241763503 * ID Moderate rild_exynos
CVE-2022-42516 A-241763577 * ID Moderate rild_exynos
CVE-2022-42517 A-241763682 * ID Moderate rild_exynos
CVE-2022-42522 A-243130038 * ID Moderate rild_exynos
CVE-2022-42524 A-243401445 * ID Moderate Modem
CVE-2022-42527 A-244448906 * DoS Moderate Modem

Qualcomm components

CVE References Severity Subcomponent
CVE-2022-25677
A-235114749
QC-CR#3122626
QC-CR#3103567
Moderate Bootloader

Qualcomm closed-source components

CVE References Severity Subcomponent
CVE-2021-30348
A-202032128 * Moderate Closed-source component
CVE-2022-25675
A-208302286 * Moderate Closed-source component

Functional patches

For details on the new bug fixes and functional patches included in this release, refer to the Pixel Community forum.

Common questions and answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

Security patch levels of 2022-12-05 or later address all issues associated with the 2022-12-05 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

2. What do the entries in the Type column mean?

Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.

Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available

3. What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

Prefix Reference
A- Android bug ID
QC- Qualcomm reference number
M- MediaTek reference number
N- NVIDIA reference number
B- Broadcom reference number
U- UNISOC reference number

4. What does an * next to the Android bug ID in the References column mean?

Issues that are not publicly available have an * next to the Android bug ID in the References column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

5. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

Versions

Version Date Notes
1.0 December 5, 2022 Bulletin Published
1.1 December 7, 2022 Bulletin Updated
1.2 December 15, 2022 Revised CVE table
1.3 December 22, 2022 Revised CVE table