CVE-2022-2652

low-risk

Published 2022-08-04

Depending on the way the format strings in the card label are crafted it's possible to leak kernel stack memory. There is also the possibility for DoS due to the v4l2loopback kernel module crashing when providing the card label on request (reproduce e.g. with many %s modifiers in a row).

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.0/10 Medium

LOCAL / LOW complexity

Affected Products (1)

V4L2Loopback

Affected Vendors

V4L2Loopback Project

References (4)

Patch https://github.com/umlaeute/v4l2loopback/commit/e4cd225557486c420f6a34411f98c575...

Exploit https://huntr.dev/bounties/1b055da5-7a9e-4409-99d7-030280d242d5

Patch https://github.com/umlaeute/v4l2loopback/commit/e4cd225557486c420f6a34411f98c575...

Exploit https://huntr.dev/bounties/1b055da5-7a9e-4409-99d7-030280d242d5

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal