CVE-2022-38687 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, T610, T310, T606, T760, T618, T612, T616, T770, T820, and S8000. These chipsets are integrated into devices running Android versions 10, 11, and 12. The vulnerability arises from a missing permission check within the messaging service component of the affected devices. This flaw allows a local attacker—who has limited privileges but no additional execution rights—to trigger uncontrolled resource consumption, leading to a denial of service (DoS) condition specifically targeting the messaging service. The attack does not require user interaction, making it easier to exploit once local access is obtained. The CVSS v3.1 score is 5.5, reflecting a medium severity level, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). No known exploits have been reported in the wild, and no patches have been linked yet. The vulnerability could cause the messaging service to become unresponsive or crash, potentially disrupting critical communication functions on affected devices.

For European organizations, especially those relying on mobile devices embedded with Unisoc chipsets running Android 10 to 12, this vulnerability poses a risk of local denial of service attacks that could disrupt messaging capabilities. This can impact business continuity, particularly in sectors where timely communication is critical, such as healthcare, emergency services, and finance. Although exploitation requires local access with some privileges, insider threats or malware that gains limited local access could leverage this vulnerability to degrade device functionality. The unavailability of messaging services could hinder operational workflows and emergency communications. Additionally, given the widespread use of Android devices in Europe, organizations using devices with affected chipsets could face increased support costs and potential reputational damage if service disruptions occur. However, the lack of remote exploitability and no known active exploitation reduce the immediate risk level.

European organizations should prioritize identifying devices using the affected Unisoc chipsets and Android versions 10 through 12 within their environment. Since no patches are currently linked, organizations should monitor Unisoc and device manufacturers for firmware or OS updates addressing this vulnerability. In the interim, restricting local access to devices is critical—implement strict endpoint security controls to prevent unauthorized local access, including enforcing strong authentication and limiting physical access. Deploy mobile device management (MDM) solutions to monitor device health and detect abnormal resource consumption patterns indicative of exploitation attempts. Educate users about the risks of installing untrusted applications or granting unnecessary permissions that could facilitate local privilege escalation. For high-security environments, consider isolating or replacing devices with vulnerable chipsets until patches are available. Regularly review and update security policies to include controls against local privilege abuse and resource exhaustion attacks.