What is CVE-2022-2347?

CVE-2022-2347 is a high-severity vulnerability in Denx U-boot, classified under Heap-based Buffer Overflow. CVSS score: 7.7/10. Published 2022-09-23.

How severe is CVE-2022-2347?

High severity. CVSS v3 base score is 7.7 out of 10.

Is CVE-2022-2347 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Buffer overflow in Denx U-boot

CVE-2022-2347

There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Cons…

Vulnerability class: Buffer Overflow

EPSS: 0.000 (14.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.7 (High). Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H.

Affected products

Denx U-boot
Uboot — versions unspecified

Weakness classification (CWE)

Public proof-of-concept exploits

References

cve-coordination@google.com (Exploit, Mailing List, Third Party Advisory, x_refsource_MISC)
af854a3a-2127-422b-91ae-364da2661108
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

Frequently asked questions

What is CVE-2022-2347?: CVE-2022-2347 is a high-severity vulnerability in Denx U-boot, classified under Heap-based Buffer Overflow. CVSS score: 7.7/10. Published 2022-09-23.
How severe is CVE-2022-2347?: High severity. CVSS v3 base score is 7.7 out of 10.
Is CVE-2022-2347 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.