// For flags

CVE-2022-42010

dbus: dbus-daemon crashes when receiving message with incorrectly nested parentheses and curly brackets

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.

Se ha detectado un problema en D-Bus versiones anteriores a 1.12.24, versiones 1.13.x y 1.14.x anteriores a 1.14.4, y versiones 1.15.x anteriores a 1.15.2. Un atacante autenticado puede causar que dbus-daemon y otros programas que usan libdbus sean bloqueados cuando reciben un mensaje con determinadas firmas de tipo no vĂ¡lido

A vulnerability found in D-bus. This flaw allows an authenticated attacker to cause dbus-daemon and other programs that use libdbus to crash when receiving a message with specific invalid type signatures.

It was discovered that DBus incorrectly handled messages with invalid type signatures. A local attacker could possibly use this issue to cause DBus to crash, resulting in a denial of service. It was discovered that DBus was incorrectly validating the length of arrays of fixed-length items. A local attacker could possibly use this issue to cause DBus to crash, resulting in a denial of service. It was discovered that DBus incorrectly handled the body DBus message with attached file descriptors. A local attacker could possibly use this issue to cause DBus to crash, resulting in a denial of service.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2022-10-03 CVE Reserved
  • 2022-10-09 CVE Published
  • 2025-06-09 CVE Updated
  • 2025-06-09 First Exploit
  • 2025-08-05 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-347: Improper Verification of Cryptographic Signature
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Freedesktop
Search vendor "Freedesktop"
 Dbus
Search vendor "Freedesktop" for product "Dbus"
 < 1.12.24
Search vendor "Freedesktop" for product "Dbus" and version " < 1.12.24"
-
Affected
Freedesktop
Search vendor "Freedesktop"
 Dbus
Search vendor "Freedesktop" for product "Dbus"
 >= 1.13.0 < 1.14.4
Search vendor "Freedesktop" for product "Dbus" and version " >= 1.13.0 < 1.14.4"
-
Affected
Freedesktop
Search vendor "Freedesktop"
 Dbus
Search vendor "Freedesktop" for product "Dbus"
 >= 1.15.0 < 1.15.2
Search vendor "Freedesktop" for product "Dbus" and version " >= 1.15.0 < 1.15.2"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 37
Search vendor "Fedoraproject" for product "Fedora" and version "37"
-
Affected