CVE-2022-24526
Published: 09 March 2022
Summary
CVE-2022-24526 is a medium-severity an unspecified weakness vulnerability in Microsoft Visual Studio Code. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 25.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-24526 is a spoofing vulnerability affecting Visual Studio Code, published on March 9, 2022. It carries a CVSS 3.1 base score of 6.1 with the vector string AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and is categorized under NVD-CWE-noinfo.
An unauthenticated attacker can exploit the flaw remotely over a network by leveraging user interaction to achieve limited effects on confidentiality and integrity, with the changed scope indicating potential impact beyond the vulnerable component itself.
The associated EPSS score rose materially from a low baseline to a peak of 0.0553 on 2025-01-22 before receding to the current value of 0.0079, indicating that exploitation interest emerged after disclosure. No mitigation details are provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29406
Vulnerability details
Visual Studio Code Spoofing Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.