CVE-2022-38677: CWE-400 Uncontrolled Resource Consumption in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
In cell service, there is a missing permission check. This could lead to local denial of service in cell service with no additional execution privileges needed.
AI Analysis
Technical Summary
CVE-2022-38677 is a vulnerability identified in several Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, and multiple others used in mobile devices running Android 10, 11, and 12. The vulnerability stems from a missing permission check within the cellular service component of these chipsets. Specifically, this flaw allows a local attacker with limited privileges (low-level privileges) to trigger uncontrolled resource consumption, leading to a denial of service (DoS) condition in the cellular service. The vulnerability is classified under CWE-400, which pertains to uncontrolled resource consumption or resource exhaustion. Exploiting this vulnerability does not require additional execution privileges or user interaction, making it easier for an attacker with local access to cause disruption. The CVSS v3.1 base score is 5.5 (medium severity), reflecting the fact that while the impact is limited to availability (denial of service), the attack vector is local and requires low privileges. The vulnerability does not affect confidentiality or integrity but can disrupt cellular connectivity by causing the cellular service to become unavailable or unstable. No known exploits have been reported in the wild, and no patches have been linked or published at the time of this analysis. The affected chipsets are commonly found in budget and mid-range smartphones, particularly those using Unisoc SoCs, which are prevalent in certain markets. The vulnerability's impact is primarily on the availability of cellular services, potentially causing service interruptions or degraded network performance on affected devices.
Potential Impact
For European organizations, the impact of CVE-2022-38677 could manifest in several ways. Organizations relying on mobile devices equipped with Unisoc chipsets for critical communications may experience interruptions in cellular connectivity, affecting business operations, especially for field workers, remote employees, or IoT deployments using cellular networks. The denial of service in cellular service could lead to temporary loss of voice, SMS, or data connectivity, impacting communication reliability. While the vulnerability requires local access, this could be exploited by malicious insiders or through compromised devices. The disruption of cellular service could also affect emergency communications or location-based services. Although the vulnerability does not directly compromise data confidentiality or integrity, the availability impact could degrade operational continuity. European enterprises in sectors such as logistics, transportation, utilities, and public safety that depend on mobile connectivity should be particularly cautious. The absence of known exploits reduces immediate risk, but the medium severity rating and the widespread use of affected chipsets in certain device segments warrant proactive mitigation.
Mitigation Recommendations
To mitigate CVE-2022-38677, European organizations should: 1) Inventory and identify devices using affected Unisoc chipsets running Android 10, 11, or 12 to assess exposure. 2) Engage with device manufacturers and vendors to obtain firmware or OS updates that address this vulnerability once available. 3) Implement strict device usage policies limiting local access to trusted users only, reducing the risk of local exploitation. 4) Employ mobile device management (MDM) solutions to monitor device health and detect abnormal cellular service disruptions indicative of exploitation attempts. 5) For critical deployments, consider using devices with chipsets not affected by this vulnerability or with timely patch support. 6) Educate users about the risks of installing untrusted applications or granting unnecessary permissions that could facilitate local exploitation. 7) Monitor security advisories from Unisoc, Android, and relevant CERTs for updates and patches. 8) In environments where cellular availability is critical, implement fallback communication channels to mitigate potential service disruptions. These steps go beyond generic advice by focusing on device inventory, vendor coordination, access control, and operational continuity planning.
Affected Countries
Germany, France, Italy, Spain, United Kingdom, Poland, Netherlands, Belgium
CVE-2022-38677: CWE-400 Uncontrolled Resource Consumption in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
Description
In cell service, there is a missing permission check. This could lead to local denial of service in cell service with no additional execution privileges needed.
AI-Powered Analysis
Technical Analysis
CVE-2022-38677 is a vulnerability identified in several Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, and multiple others used in mobile devices running Android 10, 11, and 12. The vulnerability stems from a missing permission check within the cellular service component of these chipsets. Specifically, this flaw allows a local attacker with limited privileges (low-level privileges) to trigger uncontrolled resource consumption, leading to a denial of service (DoS) condition in the cellular service. The vulnerability is classified under CWE-400, which pertains to uncontrolled resource consumption or resource exhaustion. Exploiting this vulnerability does not require additional execution privileges or user interaction, making it easier for an attacker with local access to cause disruption. The CVSS v3.1 base score is 5.5 (medium severity), reflecting the fact that while the impact is limited to availability (denial of service), the attack vector is local and requires low privileges. The vulnerability does not affect confidentiality or integrity but can disrupt cellular connectivity by causing the cellular service to become unavailable or unstable. No known exploits have been reported in the wild, and no patches have been linked or published at the time of this analysis. The affected chipsets are commonly found in budget and mid-range smartphones, particularly those using Unisoc SoCs, which are prevalent in certain markets. The vulnerability's impact is primarily on the availability of cellular services, potentially causing service interruptions or degraded network performance on affected devices.
Potential Impact
For European organizations, the impact of CVE-2022-38677 could manifest in several ways. Organizations relying on mobile devices equipped with Unisoc chipsets for critical communications may experience interruptions in cellular connectivity, affecting business operations, especially for field workers, remote employees, or IoT deployments using cellular networks. The denial of service in cellular service could lead to temporary loss of voice, SMS, or data connectivity, impacting communication reliability. While the vulnerability requires local access, this could be exploited by malicious insiders or through compromised devices. The disruption of cellular service could also affect emergency communications or location-based services. Although the vulnerability does not directly compromise data confidentiality or integrity, the availability impact could degrade operational continuity. European enterprises in sectors such as logistics, transportation, utilities, and public safety that depend on mobile connectivity should be particularly cautious. The absence of known exploits reduces immediate risk, but the medium severity rating and the widespread use of affected chipsets in certain device segments warrant proactive mitigation.
Mitigation Recommendations
To mitigate CVE-2022-38677, European organizations should: 1) Inventory and identify devices using affected Unisoc chipsets running Android 10, 11, or 12 to assess exposure. 2) Engage with device manufacturers and vendors to obtain firmware or OS updates that address this vulnerability once available. 3) Implement strict device usage policies limiting local access to trusted users only, reducing the risk of local exploitation. 4) Employ mobile device management (MDM) solutions to monitor device health and detect abnormal cellular service disruptions indicative of exploitation attempts. 5) For critical deployments, consider using devices with chipsets not affected by this vulnerability or with timely patch support. 6) Educate users about the risks of installing untrusted applications or granting unnecessary permissions that could facilitate local exploitation. 7) Monitor security advisories from Unisoc, Android, and relevant CERTs for updates and patches. 8) In environments where cellular availability is critical, implement fallback communication channels to mitigate potential service disruptions. These steps go beyond generic advice by focusing on device inventory, vendor coordination, access control, and operational continuity planning.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Unisoc
- Date Reserved
- 2022-08-22T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fb1484d88663aec6d2
Added to database: 5/20/2025, 6:59:07 PM
Last enriched: 7/6/2025, 11:40:14 AM
Last updated: 7/30/2025, 3:57:37 AM
Views: 11
Related Threats
CVE-2025-54466: CWE-94 Improper Control of Generation of Code ('Code Injection') in Apache Software Foundation Apache OFBiz
UnknownCVE-2025-9053: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9052: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.