Cyber Resilience

CVE-2022-23123

Critical

Published: 28 March 2023

Published
28 March 2023
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0766 92.1th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23123 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Debian Debian Linux. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

This vulnerability is an out-of-bounds read (CWE-125) in the getdirparams method of Netatalk, a widely deployed open-source implementation of the Apple Filing Protocol. The flaw stems from insufficient validation of user-supplied data and permits an unauthenticated remote attacker to read past the end of an allocated buffer, disclosing sensitive process memory. It carries a CVSS 3.1 base score of 9.8 and was originally reported as ZDI-CAN-15830.

Unauthenticated attackers reachable over the network can exploit the issue to obtain sensitive information from affected installations. When chained with additional vulnerabilities, the same flaw can be leveraged to achieve arbitrary code execution with root privileges.

Debian, Gentoo, and upstream Netatalk advisories address the issue through updated packages; relevant fixes appear in Netatalk 3.1.13 and corresponding Debian security and LTS releases (DSA-5503 and subsequent LTS updates).

EPSS for the CVE rose sharply from a low baseline to a peak of 0.5763 on 2025-01-22 before receding to the current value of 0.0766, indicating a period of markedly increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getdirparams method. The issue results from the lack of proper validation of…

more

user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15830.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

netatalk
netatalk
≤ 3.1.13
debian
debian linux
10.0, 11.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References