CVE-2022-26507
Published: 14 April 2022
Summary
CVE-2022-26507 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Schneider-Electric Ecostruxure Control Expert. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A heap-based buffer overflow vulnerability tracked as CVE-2022-26507 affects the XML Decompression DecodeTreeBlock function in AT&T Labs Xmill version 0.7. The flaw, assigned CWE-787, permits a crafted input file to trigger memory corruption and carries a CVSS 3.1 score of 9.8. The issue is distinct from several earlier Xmill CVEs and is stated to impact only products that are no longer supported by the maintainer.
An unauthenticated attacker can supply a malicious XML file over the network to achieve remote code execution, resulting in full compromise of confidentiality, integrity, and availability without requiring user interaction. The attack vector is rated as network-reachable with low complexity.
Public references point to Claroty research and Schneider Electric security advisory SEVD-2021-222-02, which address related impacts in downstream products that incorporated the affected Xmill component. No patches are available because the original maintainer has discontinued support. The associated EPSS score has remained flat at 0.0670 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31065
Vulnerability details
A heap-based buffer overflow exists in XML Decompression DecodeTreeBlock in AT&T Labs Xmill 0.7. A crafted input file can lead to remote code execution. This is not the same as any of: CVE-2021-21810, CVE-2021-21811, CVE-2021-21812, CVE-2021-21815, CVE-2021-21825, CVE-2021-21826, CVE-2021-21828, CVE-2021-21829,…
more
or CVE-2021-21830. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.