Cyber Resilience

CVE-2022-23124

Critical

Published: 28 March 2023

Published
28 March 2023
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0093 76.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23124 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Debian Debian Linux. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 23.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

This vulnerability affects Netatalk and consists of an out-of-bounds read in the get_finderinfo method caused by insufficient validation of user-supplied data. The flaw permits remote disclosure of sensitive information and is tracked as ZDI-CAN-15870 with an associated CWE-125 weakness. It carries a CVSS 3.1 score of 9.8.

Unauthenticated remote attackers can exploit the issue over the network to read beyond allocated buffers. The vulnerability can be chained with other flaws to achieve arbitrary code execution with root privileges on affected installations.

Advisories from Debian, Gentoo, and the Zero Day Initiative, along with Netatalk release notes for version 3.1.13, address the issue through updated packages that remediate the buffer-handling defect.

EPSS for the CVE rose from a low baseline to a peak of 0.5674 on 2025-01-22 before receding to the current value of 0.0093, indicating a period of increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the get_finderinfo method. The issue results from the lack of proper validation of…

more

user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15870.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

netatalk
netatalk
≤ 3.1.13
debian
debian linux
10.0, 11.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References