Cyber Resilience

CVE-2022-38693

Critical

Published: 01 September 2025

Published
01 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-38693 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Nccgroup (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2022-38693 is a memory buffer overflow vulnerability in FDL1, a component of Unisoc SoC ROM firmware. Due to a missing payload size check, the vulnerability allows improper handling of input data, potentially leading to overflow conditions without requiring additional execution privileges.

Remote attackers can exploit this vulnerability over the network with low complexity and no user interaction or privileges (CVSS 3.1 score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution or system crashes on affected Unisoc-based devices.

The primary advisory is detailed in an NCC Group research blog post at https://www.nccgroup.com/research-blog/there-s-another-hole-in-your-soc-unisoc-rom-vulnerabilities/, which covers Unisoc ROM vulnerabilities including this issue; practitioners should consult it for specific mitigation guidance, as no patch details are provided in the CVE record.

EU & UK References

Vulnerability details

In FDL1, there is a possible missing payload size check. This could lead to memory buffer overflow without requiring additional execution privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated buffer overflow in network-exposed firmware component directly enables exploitation of public-facing services for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39892Shared CWE-119
CVE-2026-34159Shared CWE-119
CVE-2025-7775Shared CWE-119
CVE-2026-4149Shared CWE-119
CVE-2025-33076Shared CWE-119
CVE-2025-7776Shared CWE-119
CVE-2025-30437Shared CWE-119
CVE-2025-14572Shared CWE-119
CVE-2025-33077Shared CWE-119
CVE-2026-6775Shared CWE-119

Affected Assets

Nccgroup
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the missing payload size check by requiring the system to validate all information inputs, preventing buffer overflows from improper input handling.

prevent

Implements memory protection mechanisms like stack guards and non-executable memory to prevent exploitation of buffer overflows in firmware components such as FDL1.

prevent

Requires identification, reporting, and correction of flaws like the buffer overflow in Unisoc SoC ROM firmware to eliminate the vulnerability.

References