CVE-2022-45063
published 2022-11-10CVE-2022-45063: xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.95%
91.1th percentile
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | xterm | < xterm 375-1 (bookworm) | xterm 375-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| invisible-island | xterm | < 375 | 375 |
| invisible-island | xterm | >= 0 < 375-1 | 375-1 |
| invisible-island | xterm | >= 0 < 375-1 | 375-1 |
| invisible-island | xterm | >= 0 < 375-1 | 375-1 |
| msrc | cbl2_xterm_380-1_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect OSC 50 font query/response sequences in terminal I/O; a malicious OSC 50 response containing Ctrl-g (0x07) can trigger command execution in Zsh vi line-editing mode ↗
- →Flag xterm versions below 375 as vulnerable; the fix was introduced in xterm 375 ↗
- →Check whether allowFontOps and allowWindowOps xterm resources are set to false; if either is true the attack surface is elevated ↗
- ·font ops (allowFontOps) are disabled by default in xterm configurations shipped by some Linux distributions, which mitigates the vulnerability without patching ↗
- ·Red Hat marks this moderate because allowWindowOps and allowFontOps are false by default in RHEL xterm packages, reducing the attack surface to local/non-remote exploitation ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-45063: xterm before 375 allows code execution via font ops, e
osv·2022-11-10·CVSS 9.8
CVE-2022-45063 [CRITICAL] CVE-2022-45063: xterm before 375 allows code execution via font ops, e
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.
GHSA
GHSA-3cch-wj7f-8g8x: xterm before 375 allows code execution via font ops, e
ghsa_unreviewed·2022-11-10
CVE-2022-45063 [CRITICAL] CWE-77 GHSA-3cch-wj7f-8g8x: xterm before 375 allows code execution via font ops, e
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.
Red Hat
xterm: code execution via OSC 50 input sequences
vendor_redhat·2022-11-10·CVSS 9.8
CVE-2022-45063 [CRITICAL] CWE-94 xterm: code execution via OSC 50 input sequences
xterm: code execution via OSC 50 input sequences
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.
A flaw was found in xterm. This issue may allow code execution via font ops.
Statement: This issue is marked as moderate because the Red Hat Enterprise Linux 6, 7, 8, and 9, as the xterm package is currently provided with allowWindowOps and allowFontOps resources to false by default that can protect from remote code execution and downgrade the attack surface.
Package: xterm (Red Hat Enterprise Linux 6) - Not affected
Package: xterm (Red Hat Enterprise Linux 7) - N
Microsoft
xterm before 375 allows code execution via font ops e.g. because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are n
vendor_msrc·2022-11-08·CVSS 9.8
CVE-2022-45063 [CRITICAL] CWE-77 xterm before 375 allows code execution via font ops e.g. because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are n
xterm before 375 allows code execution via font ops e.g. because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more info
Debian
CVE-2022-45063: xterm - xterm before 375 allows code execution via font ops, e.g., because an OSC 50 res...
vendor_debian·2022·CVSS 9.8
CVE-2022-45063 [CRITICAL] CVE-2022-45063: xterm - xterm before 375 allows code execution via font ops, e.g., because an OSC 50 res...
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.
Scope: local
bookworm: resolved (fixed in 375-1)
bullseye: open
forky: resolved (fixed in 375-1)
sid: resolved (fixed in 375-1)
trixie: resolved (fixed in 375-1)
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2022/11/10/1http://www.openwall.com/lists/oss-security/2022/11/10/5http://www.openwall.com/lists/oss-security/2024/06/15/1http://www.openwall.com/lists/oss-security/2024/06/17/1https://invisible-island.net/xterm/xterm.log.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TPVNTYFFWNTGZJJQAA4MGGFSTXA4XEA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5T2JI5JCHPTXX2KJU45H2XAHQSFVEJ2Y/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IVD3I2ZFXGOY6BA2FNS7WPFMPFBDHFWC/https://news.ycombinator.com/item?id=33546415https://security.gentoo.org/glsa/202211-09https://www.openwall.com/lists/oss-security/2022/11/10/1http://www.openwall.com/lists/oss-security/2022/11/10/1http://www.openwall.com/lists/oss-security/2022/11/10/5http://www.openwall.com/lists/oss-security/2024/06/15/1http://www.openwall.com/lists/oss-security/2024/06/17/1http://www.openwall.com/lists/oss-security/2026/04/08/1http://www.openwall.com/lists/oss-security/2026/04/08/10https://invisible-island.net/xterm/xterm.log.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TPVNTYFFWNTGZJJQAA4MGGFSTXA4XEA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5T2JI5JCHPTXX2KJU45H2XAHQSFVEJ2Y/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IVD3I2ZFXGOY6BA2FNS7WPFMPFBDHFWC/https://news.ycombinator.com/item?id=33546415https://security.gentoo.org/glsa/202211-09https://www.openwall.com/lists/oss-security/2022/11/10/1
2022-11-10
Published