Skip to main content

CVE-2022-38687: CWE-400 Uncontrolled Resource Consumption in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000

Medium
VulnerabilityCVE-2022-38687cvecve-2022-38687cwe-400
Published: Fri Oct 14 2022 (10/14/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000

Description

In messaging service, there is a missing permission check. This could lead to local denial of service in messaging service with no additional execution privileges needed.

AI-Powered Analysis

AILast updated: 07/06/2025, 11:40:46 UTC

Technical Analysis

CVE-2022-38687 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, T610, T310, T606, T760, T618, T612, T616, T770, T820, and S8000. These chipsets are integrated into devices running Android versions 10, 11, and 12. The vulnerability arises from a missing permission check within the messaging service component of the affected devices. This flaw allows a local attacker—who has limited privileges but no additional execution rights—to trigger uncontrolled resource consumption, leading to a denial of service (DoS) condition specifically targeting the messaging service. The attack does not require user interaction, making it easier to exploit once local access is obtained. The CVSS v3.1 score is 5.5, reflecting a medium severity level, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). No known exploits have been reported in the wild, and no patches have been linked yet. The vulnerability could cause the messaging service to become unresponsive or crash, potentially disrupting critical communication functions on affected devices.

Potential Impact

For European organizations, especially those relying on mobile devices embedded with Unisoc chipsets running Android 10 to 12, this vulnerability poses a risk of local denial of service attacks that could disrupt messaging capabilities. This can impact business continuity, particularly in sectors where timely communication is critical, such as healthcare, emergency services, and finance. Although exploitation requires local access with some privileges, insider threats or malware that gains limited local access could leverage this vulnerability to degrade device functionality. The unavailability of messaging services could hinder operational workflows and emergency communications. Additionally, given the widespread use of Android devices in Europe, organizations using devices with affected chipsets could face increased support costs and potential reputational damage if service disruptions occur. However, the lack of remote exploitability and no known active exploitation reduce the immediate risk level.

Mitigation Recommendations

European organizations should prioritize identifying devices using the affected Unisoc chipsets and Android versions 10 through 12 within their environment. Since no patches are currently linked, organizations should monitor Unisoc and device manufacturers for firmware or OS updates addressing this vulnerability. In the interim, restricting local access to devices is critical—implement strict endpoint security controls to prevent unauthorized local access, including enforcing strong authentication and limiting physical access. Deploy mobile device management (MDM) solutions to monitor device health and detect abnormal resource consumption patterns indicative of exploitation attempts. Educate users about the risks of installing untrusted applications or granting unnecessary permissions that could facilitate local privilege escalation. For high-security environments, consider isolating or replacing devices with vulnerable chipsets until patches are available. Regularly review and update security policies to include controls against local privilege abuse and resource exhaustion attacks.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Unisoc
Date Reserved
2022-08-22T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fb1484d88663aec6d6

Added to database: 5/20/2025, 6:59:07 PM

Last enriched: 7/6/2025, 11:40:46 AM

Last updated: 7/26/2025, 10:20:09 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats