Cyber Resilience

CVE-2022-24724

HighPublic PoC

Published: 03 March 2022

Published
03 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0419 89.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24724 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

cmark-gfm is GitHub's fork of the C reference implementation of CommonMark. CVE-2022-24724 is an integer overflow in the table-row parser (table.c:row_from_string) that occurs when a marker row contains more than UINT16_MAX columns. The flaw affects all versions prior to 0.29.0.gfm.3 and 0.28.3.gfm.21 and produces heap memory corruption whose consequences range from information disclosure to arbitrary code execution.

An attacker who can supply Markdown containing an oversized table can trigger the overflow when an application renders that content with an affected cmark-gfm build. Because the CVSS vector is AV:N/AC:L/PR:L/UI:N, the issue is exploitable over the network by any authenticated user whose input reaches the parser, potentially yielding remote code execution in services that process untrusted Markdown with the table extension enabled.

The GitHub Security Advisory and downstream Fedora notices state that the vulnerability is fixed in the two releases listed above. They also note that disabling the table extension entirely prevents the parser path from being reached. Public references include a proof-of-concept on Packet Storm and multiple distribution advisories confirming the availability of updated packages.

EPSS for the CVE rose from a low baseline to a peak of 0.1296 on 2025-01-22 before receding to the current value of 0.0419, indicating measurable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain…

more

more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

github
cmark-gfm
≤ 0.28.3.gfm.21 · 0.28.3.gfm.21 — 0.29.0.gfm.3
fedoraproject
fedora
34, 35, 36

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References