CVE-2022-2014
published 2022-06-09CVE-2022-2014: Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.70%
48.4th percentile
Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| diagrams | drawio | < 19.0.2 | 19.0.2 |
| jgraph | jgraph_drawio | >= unspecified < 19.0.2 | 19.0.2 |
| linux | linux_kernel | >= 5.11.0 < 5.15.86 | 5.15.86 |
| linux | linux_kernel | >= 5.16.0 < 6.0.16 | 6.0.16 |
| linux | linux_kernel | >= 6.1.0 < 6.1.2 | 6.1.2 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
cisa7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
wifi: mt76: do not run mt76u_status_worker if the device is not running
osv·2025-12-24
CVE-2022-50735 wifi: mt76: do not run mt76u_status_worker if the device is not running
wifi: mt76: do not run mt76u_status_worker if the device is not running
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: do not run mt76u_status_worker if the device is not running
Fix the following NULL pointer dereference avoiding to run
mt76u_status_worker thread if the device is not running yet.
KASAN: null-ptr-deref in range
[0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 98 Comm: kworker/u2:2 Not tainted 5.14.0+ #78 Hardware
name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: mt76 mt76u_tx_status_data
RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0
Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00
48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1
GHSA
GHSA-395p-gq7g-6x8g: Code Injection in GitHub repository jgraph/drawio prior to 19
ghsa_unreviewed·2022-06-10
CVE-2022-2014 [MEDIUM] CWE-94 GHSA-395p-gq7g-6x8g: Code Injection in GitHub repository jgraph/drawio prior to 19
Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.
Red Hat
kernel: wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
vendor_redhat·2025-12-24
CVE-2022-50716 kernel: wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
kernel: wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
In the Linux kernel, the following vulnerability has been resolved:
wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
syzkaller reported use-after-free with the stack trace like below [1]:
[ 38.960489][ C3] ==================================================================
[ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240
[ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0
[ 38.966363][ C3]
[ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18
[ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
[ 38.969959][ C3] Call Trace:
[ 38.970841][ C3]
[ 38.971663][ C3] dump_stack_
Red Hat
kernel: media: mceusb: Use new usb_control_msg_*() routines
vendor_redhat·2025-06-18·CVSS 5.5
CVE-2022-49937 [MEDIUM] CWE-20 kernel: media: mceusb: Use new usb_control_msg_*() routines
kernel: media: mceusb: Use new usb_control_msg_*() routines
In the Linux kernel, the following vulnerability has been resolved:
media: mceusb: Use new usb_control_msg_*() routines
Automatic kernel fuzzing led to a WARN about invalid pipe direction in
the mceusb driver:
------------[ cut here ]------------
usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40
WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410
usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410
Modules linked in:
CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410
Code: 7c 24 40 e8 ac
Red Hat
kernel: dm: fix use-after-free in dm_cleanup_zoned_dev()
vendor_redhat·2025-02-26·CVSS 7.8
CVE-2022-49270 [HIGH] CWE-416 kernel: dm: fix use-after-free in dm_cleanup_zoned_dev()
kernel: dm: fix use-after-free in dm_cleanup_zoned_dev()
In the Linux kernel, the following vulnerability has been resolved:
dm: fix use-after-free in dm_cleanup_zoned_dev()
dm_cleanup_zoned_dev() uses queue, so it must be called
before blk_cleanup_disk() starts its killing:
blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
Otherwise, RCU callback may be executed first and
dm_cleanup_zoned_dev() will touch free'd memory:
BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
dump_stack_lvl+0x57/0x7d
Red Hat
kernel: Input: aiptek - properly check endpoint type
vendor_redhat·2024-07-16·CVSS 5.5
CVE-2022-48836 [MEDIUM] kernel: Input: aiptek - properly check endpoint type
kernel: Input: aiptek - properly check endpoint type
In the Linux kernel, the following vulnerability has been resolved:
Input: aiptek - properly check endpoint type
Syzbot reported warning in usb_submit_urb() which is caused by wrong
endpoint type. There was a check for the number of endpoints, but not
for the type of endpoint.
Fix it by replacing old desc.bNumEndpoints check with
usb_find_common_endpoints() helper for finding endpoints
Fail log:
usb 5-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue:
Red Hat
kernel: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
vendor_redhat·2024-07-16·CVSS 5.5
CVE-2022-48838 [MEDIUM] kernel: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
kernel: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
The syzbot fuzzer found a use-after-free bug:
BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320
Read of size 8 at addr ffff88802b934098 by task udevd/3689
CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x
Red Hat
kernel: RDMA/srp: Set scmnd->result only when scmnd is not NULL
vendor_redhat·2024-05-03·CVSS 5.5
CVE-2022-48692 [MEDIUM] kernel: RDMA/srp: Set scmnd->result only when scmnd is not NULL
kernel: RDMA/srp: Set scmnd->result only when scmnd is not NULL
In the Linux kernel, the following vulnerability has been resolved:
RDMA/srp: Set scmnd->result only when scmnd is not NULL
This change fixes the following kernel NULL pointer dereference
which is reproduced by blktests srp/007 occasionally.
BUG: kernel NULL pointer dereference, address: 0000000000000170
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014
Workqueue: 0x0 (kblockd)
RIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]
Code: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6
CISA
Microsoft Win32k Privilege Escalation Vulnerability
cisa·2022-05-04·CVSS 7.8
CVE-2014-4113 [HIGH] CWE-264 Microsoft Win32k Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability
Affected: Microsoft Win32k
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-4113
Remediation Due Date: 2022-05-25
CISA
Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2014-4114 [HIGH] CWE-20 Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability
Affected: Microsoft Windows
A vulnerability exists in Windows Object Linking & Embedding (OLE) that could allow remote code execution if a user opens a file that contains a specially crafted OLE object.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-4114
Remediation Due Date: 2022-03-24
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2022-50571 kernel: btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure
bugzilla·2025-10-22
CVE-2022-50571 [LOW] CVE-2022-50571 kernel: btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure
CVE-2022-50571 kernel: btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure
In the Linux kernel, the following vulnerability has been resolved:
btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure
Now that lockdep is staying enabled through our entire CI runs I started
seeing the following stack in generic/475
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2171864 at fs/btrfs/discard.c:604 btrfs_discard_update_discardable+0x98/0xb0
CPU: 1 PID: 2171864 Comm: kworker/u4:0 Not tainted 5.19.0-rc8+ #789
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
Workqueue: btrfs-cache btrfs_work_helper
RIP: 0010:btrfs_discard_update_discardable+0x98/0xb0
RSP: 0018:ffffb857c2f7bad0 EFLAGS: 00010246
RAX: 0000000000000000
Bugzilla
CVE-2022-50543 kernel: RDMA/rxe: Fix mr->map double free
bugzilla·2025-10-07·CVSS 7.8
CVE-2022-50543 [HIGH] CVE-2022-50543 kernel: RDMA/rxe: Fix mr->map double free
CVE-2022-50543 kernel: RDMA/rxe: Fix mr->map double free
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix mr->map double free
rxe_mr_cleanup() which tries to free mr->map again will be called when
rxe_mr_init_user() fails:
CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x45/0x5d
panic+0x19e/0x349
end_report.part.0+0x54/0x7c
kasan_report.cold+0xa/0xf
rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]
__rxe_cleanup+0x10a/0x1e0 [rdma_rxe]
rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]
ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]
ib_
Bugzilla
CVE-2022-50068 kernel: drm/ttm: Fix dummy res NULL ptr deref bug
bugzilla·2025-06-18·CVSS 5.5
CVE-2022-50068 [MEDIUM] CVE-2022-50068 kernel: drm/ttm: Fix dummy res NULL ptr deref bug
CVE-2022-50068 kernel: drm/ttm: Fix dummy res NULL ptr deref bug
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Fix dummy res NULL ptr deref bug
Check the bo->resource value before accessing the resource
mem_type.
v2: Fix commit description unwrapped warning
[ 40.191227][ T184] general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI
[ 40.192995][ T184] KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
[ 40.194411][ T184] CPU: 1 PID: 184 Comm: systemd-udevd Not tainted 5.19.0-rc4-00721-gb297c22b7070 #1
[ 40.196063][ T184] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 40.199605][ T184] RIP: 0010:ttm_bo_validate+0x1b3/0x240 [ttm]
[ 40.2007
Bugzilla
CVE-2022-50070 kernel: mptcp: do not queue data on closed subflows
bugzilla·2025-06-18·CVSS 7.8
CVE-2022-50070 [HIGH] CVE-2022-50070 kernel: mptcp: do not queue data on closed subflows
CVE-2022-50070 kernel: mptcp: do not queue data on closed subflows
In the Linux kernel, the following vulnerability has been resolved:
mptcp: do not queue data on closed subflows
Dipanjan reported a syzbot splat at close time:
WARNING: CPU: 1 PID: 10818 at net/ipv4/af_inet.c:153
inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153
Modules linked in: uio_ivshmem(OE) uio(E)
CPU: 1 PID: 10818 Comm: kworker/1:16 Tainted: G OE
5.19.0-rc6-g2eae0556bb9d #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153
Code: 21 02 00 00 41 8b 9c 24 28 02 00 00 e9 07 ff ff ff e8 34 4d 91
f9 89 ee 4c 89 e7 e8 4a 47 60 ff e9 a6 fc ff ff e8 20 4d 91 f9 0b
e9 84 fe ff ff e8 14 4
Bugzilla
CVE-2022-49444 kernel: module: fix [e_shstrndx].sh_size=0 OOB access
bugzilla·2025-02-26·CVSS 7.1
CVE-2022-49444 [HIGH] CVE-2022-49444 kernel: module: fix [e_shstrndx].sh_size=0 OOB access
CVE-2022-49444 kernel: module: fix [e_shstrndx].sh_size=0 OOB access
In the Linux kernel, the following vulnerability has been resolved:
module: fix [e_shstrndx].sh_size=0 OOB access
It is trivial to craft a module to trigger OOB access in this line:
if (info->secstrings[strhdr->sh_size - 1] != '\0') {
BUG: unable to handle page fault for address: ffffc90000aa0fff
PGD 100000067 P4D 100000067 PUD 100066067 PMD 10436f067 PTE 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 7 PID: 1215 Comm: insmod Not tainted 5.18.0-rc5-00007-g9bf578647087-dirty #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014
RIP: 0010:load_module+0x19b/0x2391
[rebased patch onto modules-next]
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022658-CVE-2022-
HackerOne
CVE-2022-27779: cookie for trailing dot TLD
hackerone·2022-05-11·CVSS 5.0
CVE-2022-27779 [MEDIUM] CVE-2022-27779: cookie for trailing dot TLD
CVE-2022-27779: cookie for trailing dot TLD
## Summary:
In CVE-2014-3620 curl prevents cookies from being set for Top Level Domains (TLDs). According to the advisory, curl's "cookie parser has no Public Suffix awareness", but it will "reject TLDs from being allowed". However, a cookie can still be set for a TLD + trailing dot.
A trailing dot after a TLD is considered legal and curl will send the http://example.com. to http://example.com
## Steps To Reproduce:
1. Create an Apache file like the following
````
<?php
header("Set-Cookie: a=b; Domain=.me.");
````
2. Now save the cookie to curl and see the cookie is set for .me.
````
curl -c cookies.txt http://localtest.me./index.php
````
cookies.txt:
````
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was ge
Qualys
OpenSSL Vulnerability Recap | Qualys
blogs_qualys·2022-11-03·CVSS 7.5
[HIGH] OpenSSL Vulnerability Recap | Qualys
#### Table of Contents
- Knowing more about the vulnerability allows us to dissect why it is not as industry-changing as Heartbleed was 8 years ago.
- Related Posts
Last week a CRITICAL vulnerability in OpenSSL was pre-announced to give organizations a head start in coming up with a playbook for how to address the highest severity OpenSSL vulnerability since Heartbleed in 2014. A lot of effort was put in by vendors and organizations alike to come up with a proper response, while eagerly awaiting the announcement on November 1. When the information was released, the vulnerability was downgraded in severity and split into two (2) CVEs (CVE-2022-37786 and CVE-2022-3602), decreasing the impact on products that leverage OpenSSL 3.x. These two (2) OpenSSL vulnerabilities have been addressed in
2022-06-09
Published