CVE-2022-38692
Published: 01 September 2025
Summary
CVE-2022-38692 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Nccgroup (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Firmware (T1542.001); ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2022-38692 is a vulnerability in BootROM involving a missing size check for RSA keys during Certificate Type 0 validation, which can lead to a memory buffer overflow (CWE-119) without requiring additional execution privileges. The affected component is the BootROM in Unisoc SoCs, as detailed in research on Unisoc ROM vulnerabilities. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction. Exploitation triggers a buffer overflow in the BootROM validation process, potentially enabling high-impact compromise of confidentiality, integrity, and availability.
Mitigation details are available in the NCC Group research advisory at https://www.nccgroup.com/research-blog/there-s-another-hole-in-your-soc-unisoc-rom-vulnerabilities/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-41261
Vulnerability details
In BootROM, there is a missing size check for RSA keys in Certificate Type 0 validation. This could lead to memory buffer overflow without requiring additional execution privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in BootROM RSA key validation during certificate processing directly enables code execution or compromise at the system firmware level in the pre-OS boot chain.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the missing size check for RSA keys by requiring validation of information inputs during BootROM certificate processing to prevent buffer overflows.
Implements memory protections that mitigate exploitation of the buffer overflow vulnerability in BootROM by preventing unauthorized code execution.
Requires identification, reporting, and correction of the specific BootROM flaw, including firmware updates to eliminate the buffer overflow risk.