CVE-2022-23467 - Vulnerability Details - OpenCVE

OpenRazer is an open source driver and user-space daemon to control Razer device lighting and other features on GNU/Linux. Using a modified USB device an attacker can leak stack addresses of the `razer_attr_read_dpi_stages`, potentially bypassing KASLR. To exploit this vulnerability an attacker would need to access to a users keyboard or mouse or would need to convince a user to use a modified device. The issue has been patched in v3.5.1. Users are advised to upgrade and should be reminded not to plug in unknown USB devices.

No CVSS v4.0

Attack Vector Physical

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Openrazer Project	Openrazer

Configuration 1 [-]

cpe:2.3:a:openrazer_project:openrazer:*:*:*:*:*:linux:*:*

No data.

References

Link	Providers
https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6
https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h
https://lists.debian.org/debian-lts-announce/2025/04/msg00032.html

History

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/04/msg00032.html

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.0002}`	epss `{'score': 0.00017}`

Wed, 23 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-05T19:22:30.988Z

Updated: 2025-11-03T19:26:50.922Z

Reserved: 2022-01-19T21:23:53.756Z

Link: CVE-2022-23467

Vulnrichment

Updated: 2024-08-03T03:43:46.002Z

NVD

Status : Modified

Published: 2022-12-05T20:15:10.133

Modified: 2025-11-03T20:15:52.930

Link: CVE-2022-23467

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-23467", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-01-19T21:23:53.756Z", "datePublished": "2022-12-05T19:22:30.988Z", "dateUpdated": "2025-11-03T19:26:50.922Z"}, "containers": {"cna": {"title": "Out of Bounds Read in OpenRazer Driver", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h"}, {"name": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6", "tags": ["x_refsource_MISC"], "url": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6"}], "affected": [{"vendor": "openrazer", "product": "openrazer", "versions": [{"version": "< 3.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-05T19:22:30.988Z"}, "descriptions": [{"lang": "en", "value": "OpenRazer is an open source driver and user-space daemon to control Razer device lighting and other features on GNU/Linux. Using a modified USB device an attacker can leak stack addresses of the `razer_attr_read_dpi_stages`, potentially bypassing KASLR. To exploit this vulnerability an attacker would need to access to a users keyboard or mouse or would need to convince a user to use a modified device. The issue has been patched in v3.5.1. Users are advised to upgrade and should be reminded not to plug in unknown USB devices."}], "source": {"advisory": "GHSA-39hg-jvc9-fg7h", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"name": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h"}, {"name": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00032.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:26:50.922Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T13:53:10.226693Z", "id": "CVE-2022-23467", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T16:32:45.096Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h", "name": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6", "name": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.002Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-23467", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T13:53:10.226693Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T13:53:11.758Z"}}], "cna": {"title": "Out of Bounds Read in OpenRazer Driver", "source": {"advisory": "GHSA-39hg-jvc9-fg7h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openrazer", "product": "openrazer", "versions": [{"status": "affected", "version": "< 3.5.1"}]}], "references": [{"url": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h", "name": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6", "name": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenRazer is an open source driver and user-space daemon to control Razer device lighting and other features on GNU/Linux. Using a modified USB device an attacker can leak stack addresses of the `razer_attr_read_dpi_stages`, potentially bypassing KASLR. To exploit this vulnerability an attacker would need to access to a users keyboard or mouse or would need to convince a user to use a modified device. The issue has been patched in v3.5.1. Users are advised to upgrade and should be reminded not to plug in unknown USB devices."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-05T19:22:30.988Z"}}}, "cveMetadata": {"cveId": "CVE-2022-23467", "state": "PUBLISHED", "dateUpdated": "2025-04-23T16:32:45.096Z", "dateReserved": "2022-01-19T21:23:53.756Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-12-05T19:22:30.988Z", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openrazer_project:openrazer:*:*:*:*:*:linux:*:*", "matchCriteriaId": "6DC7A7BD-6A98-4B2B-98BE-5BDD21768F26", "versionEndExcluding": "3.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenRazer is an open source driver and user-space daemon to control Razer device lighting and other features on GNU/Linux. Using a modified USB device an attacker can leak stack addresses of the `razer_attr_read_dpi_stages`, potentially bypassing KASLR. To exploit this vulnerability an attacker would need to access to a users keyboard or mouse or would need to convince a user to use a modified device. The issue has been patched in v3.5.1. Users are advised to upgrade and should be reminded not to plug in unknown USB devices."}, {"lang": "es", "value": "OpenRazer es un controlador de c\u00f3digo abierto y un demonio de espacio de usuario para controlar la iluminaci\u00f3n del dispositivo Razer y otras funciones en GNU/Linux. Al utilizar un dispositivo USB modificado, un atacante puede filtrar las direcciones de pila de `razer_attr_read_dpi_stages`, evitando potencialmente KASLR. Para explotar esta vulnerabilidad, un atacante necesitar\u00eda acceder al teclado o al mouse de un usuario o necesitar\u00eda convencer a un usuario para que use un dispositivo modificado. El problema se solucion\u00f3 en la versi\u00f3n 3.5.1. Se recomienda a los usuarios que actualicen y se les debe recordar que no conecten dispositivos USB desconocidos."}], "id": "CVE-2022-23467", "lastModified": "2025-11-03T20:15:52.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.3, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-05T20:15:10.133", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00032.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}