Huawei has officially started the EMUI 12 stable rollout for global devices. In terms of security patches, Huawei also focuses on the HarmonyOS/EMUI update for its eligible devices in a regular manner. Apart from the EMUI 12 and HarmonyOS, the May 2022 Huawei EMUI security patch is now live and it fixes 14 High levels, and 16 mediums while there are no low levels of CVEs.
Huawei released May 2022 EMUI patch details:
Critical: CVE-2021-35081
High: CVE-2021-0694, CVE-2021-39795, CVE-2021-39803, CVE-2021-39804, CVE-2021-39794, CVE-2021-39796, CVE-2021-39808, CVE-2021-39809, CVE-2021-30334, CVE-2021-35130, CVE-2021-0707, CVE-2021-39800, CVE-2021-39801, CVE-2021-39776
Medium: CVE-2021-39771, CVE-2021-35071, CVE-2021-39739, CVE-2021-39741, CVE-2021-39748, CVE-2021-39759, CVE-2021-39760, CVE-2021-39762, CVE-2021-39763, CVE-2021-39764, CVE-2021-39774, CVE-2021-39777, CVE-2021-39781, CVE-2021-39746, CVE-2021-39757, CVE-2021-39786
Low: none
Already included in previous updates: CVE-2021-30276, CVE-2021-30285, CVE-2021-39690, CVE-2022-20047, CVE-2022-20048, CVE-2021-1918, CVE-2021-30267, CVE-2021-30268, CVE-2021-30269, CVE-2021-30270, CVE-2021-30271, CVE-2021-30273, CVE-2021-30283, CVE-2021-30289, CVE-2021-30293, CVE-2021-30303, CVE-2021-30287, CVE-2021-30300, CVE-2021-30301, CVE-2021-30307, CVE-2021-21781, CVE-2021-39715
※For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).
This security update includes the following HUAWEI patches:
CVE-2021-46785: Improper permission control vulnerability in the Property module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability can result in the obtaining of the unique device identifier.
Acknowledgment: Zhang Qing (ByteDance), Wang Kailong (NUS), and Bai Guang Dong (UQ)
CVE-2021-46789: Configuration defects in the secure OS module
Severity: Medium
Affected versions: EMUI 11.0.1
Impact: Successful exploitation of this vulnerability will affect availability.
CVE-2021-46788: Third-party pop-up window coverage vulnerability in the iConnect module
Severity: Medium
Affected versions: EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0
Impact: System pop-up window may be covered to mislead users to perform incorrect operations.
CVE-2021-46787: Improper permission control vulnerability in the AMS module
Severity: High
Affected versions: EMUI 11.0.1, EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0
Impact: Successful exploitation of this vulnerability may cause non-system application processes to crash.
CVE-2021-46786: Insufficient verification of the parameters transferred by the application space in the audio module
Severity: Medium
Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0
Impact: Successful exploitation of this vulnerability may cause out-of-bounds memory access.
CVE-2021-40010: Heap overflow vulnerability in the bone voice ID trusted application (TA).
Severity: Critical
Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0
Impact: Successful exploitation of this vulnerability may result in malicious code execution.
CVE-2022-22258: Event notification vulnerability in the Wi-Fi module
Severity: Medium
Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, HMOS 2.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0
Impact: Successful exploitation of this vulnerability may cause third-party apps to intercept and add information and result in elevation-of-privilege.
CVE-2022-29794: UAF vulnerability in the frame scheduling module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect integrity, availability, and confidentiality.
CVE-2022-22261: Unstrict verification of the validity of the weight in the model in hiaiserver
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will cause AI service exceptions.
CVE-2022-29793: Configuration defects in the activation lock of the mobile phone
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2022-29792: Serial number obtaining vulnerability in the chip assembly
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect confidentiality.
CVE-2022-29791: Unstrict verification of the validity of the weight in the model in hiaiserver
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will cause AI service exceptions.
CVE-2022-29790: Service abnormality caused by multi-threaded access to the database in the graphics acceleration service
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may cause service exceptions.
CVE-2022-29789: Unstrict verification of the validity of the property in the model in hiaiserver
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will cause AI service exceptions.
CVE-2022-29795: Null pointer dereference vulnerability in the frame scheduling module
Severity: High
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will affect availability.
CVE-2022-29796: Unstrict verification of the validity of the weight in the model in hiaiserver
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability will cause AI service exceptions.
CVE-2022-22260: UAF vulnerability in the kernel module
Severity: Medium
Affected versions: EMUI 12.0.0.
