CVE-2022-2652

Use of Externally-Controlled Format String in umlaeute/v4l2loopback

CVSS 7.3 HIGHEPSS 0.3%CWE-134

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

04 ago 2022Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Depending on the way the format strings in the card label are crafted it's possible to leak kernel stack memory. There is also the possibility for DoS due to the v4l2loopback kernel module crashing when providing the card label on request (reproduce e.g. with many %s modifiers in a row).

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L

Productos afectados

umlaeute · umlaeute/v4l2loopback

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/umlaeute/v4l2loopback/commit/e4cd225557486c420f6a34411f98c575effd43dd https://huntr.dev/bounties/1b055da5-7a9e-4409-99d7-030280d242d5