CVE-2022-38693
Published: 01 September 2025
Summary
CVE-2022-38693 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Nccgroup (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2022-38693 is a memory buffer overflow vulnerability in FDL1, a component of Unisoc SoC ROM firmware. Due to a missing payload size check, the vulnerability allows improper handling of input data, potentially leading to overflow conditions without requiring additional execution privileges.
Remote attackers can exploit this vulnerability over the network with low complexity and no user interaction or privileges (CVSS 3.1 score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution or system crashes on affected Unisoc-based devices.
The primary advisory is detailed in an NCC Group research blog post at https://www.nccgroup.com/research-blog/there-s-another-hole-in-your-soc-unisoc-rom-vulnerabilities/, which covers Unisoc ROM vulnerabilities including this issue; practitioners should consult it for specific mitigation guidance, as no patch details are provided in the CVE record.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-41262
Vulnerability details
In FDL1, there is a possible missing payload size check. This could lead to memory buffer overflow without requiring additional execution privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated buffer overflow in network-exposed firmware component directly enables exploitation of public-facing services for code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the missing payload size check by requiring the system to validate all information inputs, preventing buffer overflows from improper input handling.
Implements memory protection mechanisms like stack guards and non-executable memory to prevent exploitation of buffer overflows in firmware components such as FDL1.
Requires identification, reporting, and correction of flaws like the buffer overflow in Unisoc SoC ROM firmware to eliminate the vulnerability.