CVE-2022-33967

squashfs filesystem implementation of U-Boot versions from v2020.10-rc2 to v2022.07-rc5 contains a heap-based buffer overflow vulnerability due to a defect in the metadata reading process. Loading a specially crafted squashfs image may lead to a denial-of-service (DoS) condition or arbitrary code execution.

Published: Jul 20, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-33967
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
denx / u-boot	2021.04-rc1	2021.04-rc1.x
denx / u-boot	2022.07-rc2	2022.07-rc2.x
denx / u-boot	2022.07-rc1	2022.07-rc1.x
denx / u-boot	2022.01	2022.01.x
denx / u-boot	2022.07-rc3	2022.07-rc3.x
denx / u-boot	2022.07-rc4	2022.07-rc4.x
denx / u-boot	2022.07-rc5	2022.07-rc5.x
denx / u-boot	2020.10-rc2	2020.10-rc2.x
denx / u-boot	2020.10-rc3	2020.10-rc3.x
denx / u-boot	2021.01	2021.01.x
denx / u-boot	2021.01-rc1	2021.01-rc1.x
denx / u-boot	2021.01-rc2	2021.01-rc2.x
denx / u-boot	2021.01-rc3	2021.01-rc3.x
denx / u-boot	2021.01-rc4	2021.01-rc4.x
denx / u-boot	2021.01-rc5	2021.01-rc5.x
denx / u-boot	2021.04-rc2	2021.04-rc2.x
denx / u-boot	2022.01-rc1	2022.01-rc1.x
denx / u-boot	2022.01-rc2	2022.01-rc2.x
denx / u-boot	2022.01-rc3	2022.01-rc3.x
denx / u-boot	2022.01-rc4	2022.01-rc4.x
denx / u-boot	2022.04	2022.04.x
denx / u-boot	2022.04-rc1	2022.04-rc1.x
denx / u-boot	2022.04-rc2	2022.04-rc2.x
denx / u-boot	2022.04-rc3	2022.04-rc3.x
denx / u-boot	2022.04-rc4	2022.04-rc4.x
denx / u-boot	2022.04-rc5	2022.04-rc5.x
denx / u-boot	2020.10-rc4	2020.10-rc4.x
denx / u-boot	2020.10-rc5	2020.10-rc5.x

Vulnerability Database

290,278

CVE-2022-33967