CVE-2022-2652

NameCVE-2022-2652
DescriptionDepending on the way the format strings in the card label are crafted it's possible to leak kernel stack memory. There is also the possibility for DoS due to the v4l2loopback kernel module crashing when providing the card label on request (reproduce e.g. with many %s modifiers in a row).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1016685

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
v4l2loopback (PTS)jessie0.8.0-4vulnerable
stretch0.10.0-1vulnerable
buster0.12.1-1vulnerable
bullseye0.12.5-1vulnerable
bookworm0.12.7-2fixed
sid, trixie0.13.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
v4l2loopbacksourcejessie(unfixed)end-of-life
v4l2loopbacksourcestretch(unfixed)end-of-life
v4l2loopbacksource(unstable)0.12.7-1unimportant1016685

Notes

https://huntr.dev/bounties/1b055da5-7a9e-4409-99d7-030280d242d5
https://github.com/umlaeute/v4l2loopback/commit/e4cd225557486c420f6a34411f98c575effd43dd (main)
https://github.com/umlaeute/v4l2loopback/commit/64a216af4c09c9ba9326057d7e78994271827eff (v0.12.6)
Negligible security impact
Search for package or bug name: Reporting problems