CVE-2022-1215
published 2022-06-02CVE-2022-1215: A format string vulnerability was found in libinput
PriorityP337high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.36%
28.3th percentile
A format string vulnerability was found in libinput
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libinput | < libinput 1.20.1-1 (bookworm) | libinput 1.20.1-1 (bookworm) |
| freedesktop | libinput | — | — |
| freedesktop | libinput | — | — |
| freedesktop | libinput | >= 0 < 1.20.1-1 | 1.20.1-1 |
| freedesktop | libinput | >= 0 < 1.20.1-1 | 1.20.1-1 |
| freedesktop | libinput | >= 0 < 1.20.1-1 | 1.20.1-1 |
| freedesktop | libinput | >= 1.10.0 < 1.18.2 | 1.18.2 |
| freedesktop | libinput | >= 1.19.0 < 1.19.4 | 1.19.4 |
| msrc | cbl2_libinput_1.21.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_libinput_1.16.5-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: module: fix [e_shstrndx].sh_size=0 OOB access
vendor_redhat·2025-02-26·CVSS 7.1
CVE-2022-49444 [HIGH] CWE-125 kernel: module: fix [e_shstrndx].sh_size=0 OOB access
kernel: module: fix [e_shstrndx].sh_size=0 OOB access
In the Linux kernel, the following vulnerability has been resolved:
module: fix [e_shstrndx].sh_size=0 OOB access
It is trivial to craft a module to trigger OOB access in this line:
if (info->secstrings[strhdr->sh_size - 1] != '\0') {
BUG: unable to handle page fault for address: ffffc90000aa0fff
PGD 100000067 P4D 100000067 PUD 100066067 PMD 10436f067 PTE 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 7 PID: 1215 Comm: insmod Not tainted 5.18.0-rc5-00007-g9bf578647087-dirty #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014
RIP: 0010:load_module+0x19b/0x2391
[rebased patch onto modules-next]
Package: kernel (Red Hat Enterprise Linux 10) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not af
Microsoft
A format string vulnerability was found in libinput
vendor_msrc·2022-05-10·CVSS 7.8
CVE-2022-1215 [HIGH] CWE-134 A format string vulnerability was found in libinput
A format string vulnerability was found in libinput
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.m
Ubuntu
libinput vulnerability
vendor_ubuntu·2022-05-02
CVE-2022-1215 libinput vulnerability
Title: libinput vulnerability
Summary: libinput could be made to crash or expose sensitive information.
USN-5382-1 fixed a vulnerability in libinput. This update provides the
corresponding updates for Ubuntu 22.04 LTS.
Original advisory details:
Albin Eldstål-Ahrens and Lukas Lamster discovered libinput did not properly
handle input devices with specially crafted names. A local attacker with
physical access could use this to cause libinput to crash or expose
sensitive information.
Instructions: After a standard system update you need to log out of all desktop sessions
and then log back in to make all the necessary changes.
Red Hat
libinput: format string vulnerability may lead to privilege escalation
vendor_redhat·2022-04-20·CVSS 7.8
CVE-2022-1215 [HIGH] CWE-134 libinput: format string vulnerability may lead to privilege escalation
libinput: format string vulnerability may lead to privilege escalation
A format string vulnerability was found in libinput
Statement: This flaw is out of support scope for versions of libinput shipped with Red Hat Enterprise Linux 7. The severity was set to Moderate because a potential attacker would need to be physically within bluetooth range of the victim machine, in addition to using an already-paired device.
Package: libinput (Red Hat Enterprise Linux 7) - Out of support scope
Ubuntu
libinput vulnerability
vendor_ubuntu·2022-04-20
CVE-2022-1215 libinput vulnerability
Title: libinput vulnerability
Summary: libinput could be made to crash or expose sensitive information.
Albin Eldstål-Ahrens and Lukas Lamster discovered libinput did not properly
handle input devices with specially crafted names. A local attacker with
physical access could use this to cause libinput to crash or expose
sensitive information.
Instructions: After a standard system update you need to log out of all desktop sessions
and then log back in to make all the necessary changes.
Debian
CVE-2022-1215: libinput - A format string vulnerability was found in libinput
vendor_debian·2022·CVSS 7.8
CVE-2022-1215 [HIGH] CVE-2022-1215: libinput - A format string vulnerability was found in libinput
A format string vulnerability was found in libinput
Scope: local
bookworm: resolved (fixed in 1.20.1-1)
bullseye: open
forky: resolved (fixed in 1.20.1-1)
sid: resolved (fixed in 1.20.1-1)
trixie: resolved (fixed in 1.20.1-1)
CISA
Microsoft Windows Privilege Escalation Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2019-1215 [HIGH] Microsoft Windows Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Privilege Escalation Vulnerability
Affected: Microsoft Windows
Microsoft Windows contains an unspecified vulnerability due to the way ws2ifsl.sys (Winsock) handles objects in memory, allowing for privilege escalation. Successful exploitation allows an attacker to execute code with elevated privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-1215
Remediation Due Date: 2022-05-03
GHSA
GHSA-q3fm-hh84-2m38: A format string vulnerability was found in libinput
ghsa_unreviewed·2022-06-03
CVE-2022-1215 [HIGH] CWE-134 GHSA-q3fm-hh84-2m38: A format string vulnerability was found in libinput
A format string vulnerability was found in libinput
OSV
CVE-2022-1215: A format string vulnerability was found in libinput
osv·2022-06-02·CVSS 7.8
CVE-2022-1215 [HIGH] CVE-2022-1215: A format string vulnerability was found in libinput
A format string vulnerability was found in libinput
No detection rules found.
No public exploits indexed.
2022-06-02
Published