CVE-2022-26376

CWE-787 — Out-of-bounds Write CWE-20 — Improper Input Validation3 documents3 sources

Severity

9.8CRITICAL

EPSS

0.7%

top 27.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asus Asuswrt Asus Et12 Firmware Asus Gt-ax11000 Firmware +17 more

Timeline

PublishedAug 5

Latest updateAug 6

Description

A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages20 packages

▶NVDasuswrt-merlin/new_gen< 386.7

▶CVEListV5asuswrt-merlin/asuswrt-merlin_new_genprior to 386.7

▶NVDasus/asuswrt< 3.0.0.4.386_48706

▶NVDasus/xd4_firmware< 3.0.0.4.386_48790

▶NVDasus/xd6_firmware< 3.0.0.4.386_49356

🔴Vulnerability Details

GHSA

GHSA-5v6f-j685-6xv8: A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3↗2022-08-06

▶

CVEList

CVE-2022-26376: A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3↗2022-08-05

▶