Cyber Resilience

CVE-2022-41034

High

Published: 11 October 2022

Published
11 October 2022
Modified
02 January 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.6320 98.4th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41034 is a high-severity an unspecified weakness vulnerability in Microsoft Visual Studio Code. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Visual Studio Code contains a remote code execution vulnerability tracked as CVE-2022-41034. The flaw received a CVSS 3.1 base score of 7.8 with an attack vector of local access, low complexity, no privileges required, and user interaction needed, resulting in high impact to confidentiality, integrity, and availability.

An attacker who can supply a malicious file or workspace and convince a user to open it in Visual Studio Code can execute arbitrary code on the victim system. The absence of required privileges and the unchanged scope indicate that successful exploitation grants the attacker the same rights as the targeted user without needing additional credentials.

Microsoft has published official guidance for the issue in its Security Response Center at the referenced URLs, which include details on available updates and recommended actions for affected installations.

The associated EPSS score currently stands at 0.6320 with a recorded peak of 0.6551, indicating sustained but not sharply escalating exploitation interest since disclosure.

EU & UK References

Vulnerability details

Visual Studio Code Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
visual studio code
≤ 1.72.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References