CVE-2022-38679: CWE-400 Uncontrolled Resource Consumption in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
In music service, there is a missing permission check. This could lead to local denial of service in music service with no additional execution privileges needed.
AI Analysis
Technical Summary
CVE-2022-38679 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting multiple Unisoc (Shanghai) Technologies Co., Ltd. SoC models including SC9863A, SC9832E, SC7731E, T610, T310, T606, T760, T618, T612, T616, T770, T820, and S8000. These chipsets are integrated into devices running Android versions 10, 11, and 12. The vulnerability arises from a missing permission check in the music service component of the affected devices. This flaw allows a local attacker with limited privileges (PR:L) to trigger a denial of service (DoS) condition by exhausting resources within the music service, without requiring any user interaction (UI:N). The attack vector is local, meaning the attacker must have some level of access to the device, such as through a malicious app or local user access. The CVSS v3.1 base score is 5.5, reflecting a medium severity impact primarily on availability (A:H) with no impact on confidentiality or integrity. The vulnerability does not require elevated privileges beyond limited local permissions and does not require user interaction, making exploitation feasible in scenarios where an attacker can run code locally. No known exploits have been reported in the wild, and no patches have been linked or published at the time of this report. The root cause is the lack of proper permission enforcement in the music service, which can be abused to consume resources uncontrollably, leading to service disruption or device instability. This vulnerability is particularly relevant for devices using Unisoc chipsets with the specified Android versions, which are commonly found in budget and mid-range smartphones, especially in emerging markets.
Potential Impact
For European organizations, the primary impact of this vulnerability is the potential for local denial of service on devices using affected Unisoc chipsets. This could disrupt business operations relying on mobile devices for communication, media playback, or other functions involving the music service. Although the attack requires local access, compromised devices could be rendered unstable or unresponsive, affecting employee productivity and potentially causing data loss if devices crash unexpectedly. In sectors where mobile devices are critical, such as field services, logistics, or remote workforces, this could degrade operational efficiency. Additionally, if attackers leverage this vulnerability as part of a multi-stage attack, it could serve as a foothold for further exploitation or lateral movement within an organization’s mobile device ecosystem. However, since the vulnerability does not impact confidentiality or integrity directly and requires local access, the risk of widespread data breaches is limited. The absence of known exploits reduces immediate threat levels but does not eliminate the risk of future exploitation. Organizations using devices with Unisoc chipsets should be aware of this vulnerability to prevent potential denial of service scenarios that could impact device availability and user experience.
Mitigation Recommendations
To mitigate CVE-2022-38679, European organizations should first identify all devices running on the affected Unisoc chipsets and Android versions (10, 11, 12). Since no official patches are currently linked, organizations should monitor Unisoc and device manufacturers for firmware or OS updates addressing this issue and apply them promptly once available. In the interim, restrict installation of untrusted or unnecessary local applications that could exploit this vulnerability by enforcing strict app whitelisting and mobile device management (MDM) policies. Employ endpoint protection solutions capable of detecting anomalous local resource consumption patterns indicative of exploitation attempts. Educate users about the risks of installing apps from unverified sources and the importance of device security hygiene. For high-risk environments, consider isolating or limiting the use of affected devices until patches are available. Additionally, collaborate with device vendors to request timely security updates and verify the integrity of music service components. Regularly audit device permissions and monitor logs for unusual activity related to the music service to detect potential exploitation attempts early.
Affected Countries
Germany, France, Italy, Spain, Poland, United Kingdom, Netherlands
CVE-2022-38679: CWE-400 Uncontrolled Resource Consumption in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
Description
In music service, there is a missing permission check. This could lead to local denial of service in music service with no additional execution privileges needed.
AI-Powered Analysis
Technical Analysis
CVE-2022-38679 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting multiple Unisoc (Shanghai) Technologies Co., Ltd. SoC models including SC9863A, SC9832E, SC7731E, T610, T310, T606, T760, T618, T612, T616, T770, T820, and S8000. These chipsets are integrated into devices running Android versions 10, 11, and 12. The vulnerability arises from a missing permission check in the music service component of the affected devices. This flaw allows a local attacker with limited privileges (PR:L) to trigger a denial of service (DoS) condition by exhausting resources within the music service, without requiring any user interaction (UI:N). The attack vector is local, meaning the attacker must have some level of access to the device, such as through a malicious app or local user access. The CVSS v3.1 base score is 5.5, reflecting a medium severity impact primarily on availability (A:H) with no impact on confidentiality or integrity. The vulnerability does not require elevated privileges beyond limited local permissions and does not require user interaction, making exploitation feasible in scenarios where an attacker can run code locally. No known exploits have been reported in the wild, and no patches have been linked or published at the time of this report. The root cause is the lack of proper permission enforcement in the music service, which can be abused to consume resources uncontrollably, leading to service disruption or device instability. This vulnerability is particularly relevant for devices using Unisoc chipsets with the specified Android versions, which are commonly found in budget and mid-range smartphones, especially in emerging markets.
Potential Impact
For European organizations, the primary impact of this vulnerability is the potential for local denial of service on devices using affected Unisoc chipsets. This could disrupt business operations relying on mobile devices for communication, media playback, or other functions involving the music service. Although the attack requires local access, compromised devices could be rendered unstable or unresponsive, affecting employee productivity and potentially causing data loss if devices crash unexpectedly. In sectors where mobile devices are critical, such as field services, logistics, or remote workforces, this could degrade operational efficiency. Additionally, if attackers leverage this vulnerability as part of a multi-stage attack, it could serve as a foothold for further exploitation or lateral movement within an organization’s mobile device ecosystem. However, since the vulnerability does not impact confidentiality or integrity directly and requires local access, the risk of widespread data breaches is limited. The absence of known exploits reduces immediate threat levels but does not eliminate the risk of future exploitation. Organizations using devices with Unisoc chipsets should be aware of this vulnerability to prevent potential denial of service scenarios that could impact device availability and user experience.
Mitigation Recommendations
To mitigate CVE-2022-38679, European organizations should first identify all devices running on the affected Unisoc chipsets and Android versions (10, 11, 12). Since no official patches are currently linked, organizations should monitor Unisoc and device manufacturers for firmware or OS updates addressing this issue and apply them promptly once available. In the interim, restrict installation of untrusted or unnecessary local applications that could exploit this vulnerability by enforcing strict app whitelisting and mobile device management (MDM) policies. Employ endpoint protection solutions capable of detecting anomalous local resource consumption patterns indicative of exploitation attempts. Educate users about the risks of installing apps from unverified sources and the importance of device security hygiene. For high-risk environments, consider isolating or limiting the use of affected devices until patches are available. Additionally, collaborate with device vendors to request timely security updates and verify the integrity of music service components. Regularly audit device permissions and monitor logs for unusual activity related to the music service to detect potential exploitation attempts early.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Unisoc
- Date Reserved
- 2022-08-22T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fb1484d88663aec6d4
Added to database: 5/20/2025, 6:59:07 PM
Last enriched: 7/6/2025, 11:40:32 AM
Last updated: 7/27/2025, 12:27:16 AM
Views: 12
Related Threats
CVE-2025-3892: CWE-250: Execution with Unnecessary Privileges in Axis Communications AB AXIS OS
MediumCVE-2025-30027: CWE-1287: Improper Validation of Specified Type of Input in Axis Communications AB AXIS OS
MediumCVE-2025-7622: CWE-918: Server-Side Request Forgery (SSRF) in Axis Communications AB AXIS Camera Station Pro
MediumCVE-2025-8314: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in emarket-design Project Management, Bug and Issue Tracking Plugin – Software Issue Manager
MediumCVE-2025-8059: CWE-862 Missing Authorization in bplugins B Blocks – The ultimate block collection
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.