CVE-2022-45063
Publication date 10 November 2022
Last updated 25 August 2025
Ubuntu priority
Description
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| xterm | ||
| 22.04 LTS jammy | Ignored code-not-compiled | |
| 20.04 LTS focal | Ignored code-not-compiled | |
| 18.04 LTS bionic | Ignored code-not-compiled | |
| 16.04 LTS xenial | Ignored code-not-compiled | |
| 14.04 LTS trusty | Ignored end of standard support |
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- https://www.openwall.com/lists/oss-security/2022/11/10/1
- https://invisible-island.net/xterm/xterm.log.html
- https://news.ycombinator.com/item?id=33546415
- http://www.openwall.com/lists/oss-security/2022/11/10/1
- http://www.openwall.com/lists/oss-security/2022/11/10/5
- https://www.cve.org/CVERecord?id=CVE-2022-45063