#VU62452 Format string error in libinput - CVE-2022-1215


Vulnerability identifier: #VU62452

Vulnerability risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-1215

CWE-ID: CWE-134

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
libinput
Other software / Other software solutions

Vendor: Freedesktop.org

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a format string error during logging operation. A local user with ability to control the device name, e.g. /dev/uinput or Bluetooth devices can trigger a format string error and execute arbitrary code on the system with elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

libinput: 1.10.0 - 1.19.901, 1.20.0

External links
https://gitlab.freedesktop.org/libinput/libinput/-/issues/752

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Amazon Linux AMI update for libinput
Gentoo update for libinput
Multiple vulnerabilities in OpenShift Container Platform 4.11
Multiple vulnerabilities in Oracle Linux
Red Hat Enterprise Linux 9 update for libinput
Red Hat Enterprise Linux 8 update for libinput
openEuler update for libinput
Ubuntu update for libinput
SUSE update for libinput
Ubuntu update for libinput