Annual recap
Mobile security · 2022
2022 review indexed by Appaloosa Scout: 1 279 mobile CVE published, 84 added to the CISA KEV catalog (exploited in real attacks), 4 mobile apps affected by at least one KEV.
- CVE indexed this year
- 1 279
- CISA KEV added
- 84
- Tracked apps affected
- 4
Severity distribution
CRITICAL
122
HIGH
1 075
MEDIUM
79
LOW
2
Top 10 mobile KEV of the year
Sorted by number of mobile apps affected (CVSS as tiebreaker).
| CVE | Severity | Apps | Added to KEV | Description |
|---|---|---|---|---|
|
CVE-2019-11708
1 apps
|
CRITICAL 10.0 | 1 | 2022-05-23 | Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandbox… |
|
CVE-2022-26486
1 apps
|
CRITICAL 9.6 | 1 | 2022-03-07 | An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of att… |
|
CVE-2019-11707
1 apps
|
HIGH 8.8 | 1 | 2022-05-23 | A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable… |
|
CVE-2013-1690
1 apps
|
HIGH 8.8 | 1 | 2022-03-28 | Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not prope… |
|
CVE-2022-26485
1 apps
|
HIGH 8.8 | 1 | 2022-03-07 | Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild a… |
|
CVE-2019-18426
1 apps
|
HIGH 8.2 | 1 | 2022-05-23 | A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-… |
|
CVE-2018-20250
1 apps
|
HIGH 7.8 | 1 | 2022-02-15 | In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (i… |
|
CVE-2013-1675
1 apps
|
MEDIUM 6.5 | 1 | 2022-03-03 | Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 do not prope… |
|
CVE-2020-0796
0 apps
|
CRITICAL 10.0 | 0 | 2022-02-10 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability |
|
CVE-2021-31166
0 apps
|
CRITICAL 9.8 | 0 | 2022-04-06 | HTTP Protocol Stack Remote Code Execution Vulnerability |
Top vendors by KEV this year
- 1 Mozilla 6 KEV · 2 apps
- 2 WhatsApp Inc. 1 KEV · 1 apps
- 3 win.rar GmbH 1 KEV · 1 apps
Most affected apps
Methodology
KEV: added to the CISA catalog during the year (kev_added_date). CVE: NVD publication date. Apps: those indexed in Scout at query time; the history evolves as new mappings are added.