PT-2022-5134 · D-Bus+10 · D-Bus+10

Evgeny Vereshchagin

·

Published

2022-10-05

·

Updated

2025-01-28

·

CVE-2022-42012

CVSS v2.0

6.8

Medium

VectorAV:N/AC:L/Au:S/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions D-Bus versions 1.12.24 and earlier, 1.13.x, 1.14.x before 1.14.4, and 1.15.x before 1.15.2
Description An issue was discovered in D-Bus that allows an authenticated attacker to cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format. The vulnerability is related to a use-after-free error caused by a message with out-of-band Unix file descriptors and a non-native byte order. This can lead to a denial-of-service.
Recommendations For D-Bus versions 1.12.24 and earlier, update to version 1.12.24 or later. For D-Bus version 1.13.x, update to version 1.14.4 or later. For D-Bus version 1.14.x before 1.14.4, update to version 1.14.4 or later. For D-Bus version 1.15.x before 1.15.2, update to version 1.15.2 or later. As a temporary workaround, consider restricting access to the dbus-daemon to minimize the risk of exploitation.

Exploit

Fix

Improper Validation of Array Index

Use After Free

Assertion Failure

RCE

Weakness Enumeration

CWE-129CWE-416CWE-617CWE-20

Related Identifiers

ALSA-2023:0096
ALSA-2023:0335
ALT-PU-2022-3381
ALT-PU-2023-2028
ALT-PU-2024-3680
AZL-11093
BDU:2022-06389
BDU:2022-06391
BDU:2022-06394
CESA-2023_0096
CVE-2022-42012
DLA-3142-1
DSA-5250-1
MGASA-2022-0365
OESA-2022-2000
OESA-2022-2001
OESA-2022-2051
OPENSUSE-SU-2022_3805-1
OPENSUSE-SU-2022_3806-1
OPENSUSE-SU-2024:12448-1
RHSA-2022:8812
RHSA-2022:8977
RHSA-2023:0096
RHSA-2023:0335
RHSA-2023_0096
RHSA-2023_0335
RLSA-2023:0096
RLSA-2023:0335
ROSA-SA-2025-2603
SUSE-SU-2022:3804-1
SUSE-SU-2022:3805-1
SUSE-SU-2022:3806-1
SUSE-SU-2022:4295-1
USN-5704-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
D-Bus
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu