7.3

CVE-2022-2652

Exploit

EPSS 0.05%
Veröffentlicht 04.08.2022 10:15:07
Zuletzt bearbeitet 21.11.2024 07:01:26
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

Depending on the way the format strings in the card label are crafted it's possible to leak kernel stack memory. There is also the possibility for DoS due to the v4l2loopback kernel module crashing when providing the card label on request (reproduce e.g. with many %s modifiers in a row).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

V4l2loopback Project ≫ V4l2loopback Version < 0.12.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.166

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6	0.8	5.2	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
security@huntr.dev	7.3	1.5	5.3	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L

CWE-134 Use of Externally-Controlled Format String

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

https://github.com/umlaeute/v4l2loopback/commit/e4cd225557486c420f6a34411f98c575effd43dd

Patch

Third Party Advisory

https://huntr.dev/bounties/1b055da5-7a9e-4409-99d7-030280d242d5

Patch

Third Party Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2022-2652

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-2652

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-2652

EUVD