CVE-2022-20554: 
NixOS vulnerability analysis and mitigation

In removeEventHubDevice of InputDevice.cpp, there is a possible out-of-bounds read vulnerability due to a use-after-free condition (CVE-2022-20554). This vulnerability affects Android 13 and was disclosed in December 2022. The issue could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (NVD).

The vulnerability exists in the InputDevice.cpp component, specifically in the removeEventHubDevice function. It is classified as a use-after-free vulnerability that can lead to an out-of-bounds read condition. The vulnerability has been assigned a CVSS v3.1 base score of 6.7 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue has been assigned CWE-416 (Use After Free) (NVD).

If exploited, this vulnerability could allow an attacker to achieve local escalation of privilege with System execution privileges. The vulnerability affects confidentiality, integrity, and availability of the system, as indicated by the CVSS metrics showing High impact (H) for all three security properties (NVD).

The vulnerability was addressed in the Android Security Bulletin for December 2022. Users should update their Android devices to the latest available security patch level to mitigate this vulnerability (Pixel Update Bulletin).