CVE-2022-41034
Published: 11 October 2022
Summary
CVE-2022-41034 is a high-severity an unspecified weakness vulnerability in Microsoft Visual Studio Code. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Visual Studio Code contains a remote code execution vulnerability tracked as CVE-2022-41034. The flaw received a CVSS 3.1 base score of 7.8 with an attack vector of local access, low complexity, no privileges required, and user interaction needed, resulting in high impact to confidentiality, integrity, and availability.
An attacker who can supply a malicious file or workspace and convince a user to open it in Visual Studio Code can execute arbitrary code on the victim system. The absence of required privileges and the unchanged scope indicate that successful exploitation grants the attacker the same rights as the targeted user without needing additional credentials.
Microsoft has published official guidance for the issue in its Security Response Center at the referenced URLs, which include details on available updates and recommended actions for affected installations.
The associated EPSS score currently stands at 0.6320 with a recorded peak of 0.6551, indicating sustained but not sharply escalating exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44279
Vulnerability details
Visual Studio Code Remote Code Execution Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.