CVE-2022-45063
Published: 10 November 2022
Summary
CVE-2022-45063 is a critical-severity Command Injection (CWE-77) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-45063 affects xterm versions prior to 375 and stems from insufficient sanitization of font-related operations, notably OSC 50 escape sequences. An attacker-controlled response containing a Ctrl-G character can be interpreted as a command terminator, enabling arbitrary command execution when the terminal interacts with applications such as Zsh running in vi line-editing mode. The vulnerability carries a CVSS score of 9.8 and is classified under CWE-77; font operations are disabled by default in the xterm configurations shipped by several Linux distributions, limiting exposure in those environments.
An unauthenticated remote attacker can exploit the flaw over the network by supplying malicious terminal escape sequences that trigger the vulnerable font-operation path. Successful exploitation grants the attacker the ability to execute arbitrary commands with the privileges of the user running the terminal session, resulting in complete compromise of confidentiality, integrity, and availability.
Public advisories published on the Openwall oss-security mailing list and entries in the xterm change log at invisible-island.net detail the issue and the corrective changes incorporated in version 375. Administrators are advised to update xterm to 375 or later and to verify that font operations remain disabled in any locally customized configurations.
EPSS scores for the CVE rose from lower values to a peak of 0.2570 on 2025-12-18 before receding to the current 0.1403, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-47985
Vulnerability details
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm…
more
default configurations of some Linux distributions.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.