CVE-2022-22265

What is the Samsung Exynos Chipset?

Samsung's Exynos chipsets are system-on-chip (SoC) processors used in Samsung Galaxy smartphones sold in certain markets (primarily Europe, South Korea, and some Asian markets, while North American variants typically use Qualcomm Snapdragon). Exynos SoCs integrate the application processor, modem, and various hardware accelerators including a Wi-Fi/Bluetooth subsystem. The kernel drivers for these hardware components run in privileged kernel space, and bugs in driver code can be exploited by user-space applications to escalate privileges to root.

Overview

CVE-2022-22265 is a use-after-free (UAF) vulnerability (CWE-703) in the dp_rx_desc_pool subsystem of the Samsung Exynos kernel driver. A local application can exploit the freed memory to achieve a controlled write primitive and execute arbitrary code in the kernel context, enabling privilege escalation. Samsung patched this in the January 2022 Mobile Security Bulletin. CISA added it to KEV in September 2023 — approximately 20 months after the patch — indicating the vulnerability was confirmed exploited in the wild, likely in commercial spyware or targeted attack chains against unpatched devices.

Affected Versions

Technical Details

The dp_rx_desc_pool is a data structure used by the Exynos Wi-Fi/networking subsystem for managing receive descriptors. The UAF occurs when the pool is freed while a reference to its contents remains active in another code path:

• Root cause: Use-after-free in Exynos kernel driver dp_rx_desc_pool handling — the pool object is freed, but a dangling pointer allows subsequent access to the freed memory region
• Exploitation: An attacker-controlled application manipulates memory allocation to control what occupies the freed pool region, achieving a type confusion or write primitive
• Impact: Kernel code execution — privilege escalation from normal app context to root/kernel
• Local access required: The attacker must have a malicious application running on the device (via app install, including side-loaded apps)
• Typical use: Kernel UAFs are the second stage in mobile exploit chains — following a browser or WebKit exploit for initial code execution, a kernel UAF provides the privilege escalation to access device sensors, files, and communications

Discovery

Identified by Samsung's internal security team and disclosed in the January 2022 Mobile Security Bulletin without external attribution. The 20-month gap between patch and CISA KEV addition suggests exploitation was observed in targeted attack contexts well after the patch was released.

Exploitation Context

Exynos kernel vulnerabilities are consistently exploited by commercial mobile surveillance vendors (spyware producers) who target journalists, activists, and government officials. The pattern — long gap between patch and KEV addition — is consistent with a vulnerability exploited in targeted spyware chains deployed against unpatched devices. Samsung's security update delivery is carrier-dependent, meaning many devices remain unpatched months after Samsung releases a fix.

Remediation

1. Apply Samsung's January 2022 Mobile Security Update or any later monthly security patch
2. Verify the Android Security Patch Level on your Samsung device: Settings → About Phone → Software Information
3. Enable automatic software updates on Samsung devices
4. Users on devices that no longer receive Samsung security updates (EOL devices) should consider device replacement — unpatched kernel UAFs cannot be mitigated at the OS level without vendor patches
5. Apply vendor security updates promptly — carrier delays in rolling out Samsung security patches are common and represent a meaningful exposure window