CVE-2022-1215

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions libinput version 1.20.1

Description A format string vulnerability was found in libinput, related to the use of uncontrolled format strings in the evdev log msg function. This vulnerability can be exploited to execute arbitrary code with elevated privileges, particularly when the X-server is run with root privileges. The issue affects environments based on X.Org and Wayland and can be exploited through local device connections or manipulations with Bluetooth devices.

Recommendations For libinput version 1.20.1, consider updating to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the evdev log msg function to minimize the risk of exploitation. Avoid using the evdev log msg function in the affected API endpoints until the issue is resolved.

Fix

Use of Externally-Controlled Format String

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-134

Related Identifiers

ALSA-2022:5257

ALT-PU-2021-4844

ALT-PU-2021-4845

ALT-PU-2022-1732

ALT-PU-2022-1738

ALT-PU-2022-1752

ALT-PU-2022-3182

ALT-PU-2022-7644

AZL-9861

BDU:2022-02695

CESA-2022_5331

CVE-2022-1215

MGASA-2022-0150

OESA-2022-1709

OPENSUSE-SU-2022_1305-1

OPENSUSE-SU-2024:12023-1

RHSA-2022:5257

RHSA-2022:5331

RHSA-2022_5257

RHSA-2022_5331

RLSA-2022:5257

RLSA-2022:5331

SUSE-SU-2022:1305-1

SUSE-SU-2022_1305-1

USN-5382-1

USN-5382-2

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Libinput

CVE-2022-1215

Weakness Enumeration

Related Identifiers

Affected Products

References · 60