CVE-2022-32293
Published: 03 August 2022
Summary
CVE-2022-32293 is a high-severity Use After Free (CWE-416) vulnerability in Intel Connman. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 37.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
ConnMan through version 1.41 contains a use-after-free vulnerability (CWE-416) in its WISPR HTTP query handling. The flaw resides in the connection manager component that processes wireless Internet service provider roaming requests and can be triggered when an attacker intercepts the associated HTTP traffic.
An unauthenticated network adversary positioned to perform a man-in-the-middle attack against a WISPR query can induce the use-after-free condition. Successful exploitation may result in a crash or arbitrary code execution, although the CVSS vector rates attack complexity as high.
Upstream patches addressing the WISPR handling flaw were posted to the ConnMan mailing list in August 2022. Distribution vendors subsequently issued updates, including Debian DSA-5231 and Gentoo GLSA-202310-21, advising administrators to upgrade to fixed ConnMan releases.
EPSS for the CVE rose from a low baseline to a peak of 0.0527 on 2025-01-22 before receding, indicating a period of increased exploitation interest well after the original 2022 disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-53486
Vulnerability details
In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.