CVE-2022-21806 — Context Switching Race Condition in Eufy Homebase 2

CWE-368 — Context Switching Race Condition CWE-416 — Use After Free4 documents3 sources

Severity

9.8CRITICALNVD

EPSS

1.8%

top 17.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Anker Eufy Homebase 2 Anker Eufy Homebase 2 Firmware

Timeline

PublishedJun 17

Latest updateJun 18

Description

A use-after-free vulnerability exists in the mips_collector appsrv_server functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted set of network packets can lead to remote code execution. The device is exposed to attacks from the network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5anker/eufy_homebase_22.1.8.5h

▶NVDanker/eufy_homebase_2_firmware2.1.8.5h

🔴Vulnerability Details

GHSA

GHSA-3vc5-mpf6-vw2r: A use-after-free vulnerability exists in the mips_collector appsrv_server functionality of Anker Eufy Homebase 2 2↗2022-06-18

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, authentication bypass↗2022-06-15

▶

Talos

Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, authentication bypass↗2022-06-15

▶