Is CVE-2022-2347 actively exploited?

CVE-2022-2347 has no public evidence of in-the-wild exploitation as of 2025-11-03.

What is the CVSS score for CVE-2022-2347?

CVE-2022-2347 has a CVSS score of 7.7 (HIGH severity). Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H.

How do I patch CVE-2022-2347?

Patch guidance is available from denx security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2022-2347.

Fix CVE-2022-2347 - HIGH denx u-boot

Description

There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer.

CVSS Metrics

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector: local
Complexity: high
Privileges: none
User Action: required
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-122 CWE-787 · Out-of-bounds Write

Metadata

Primary Vendor: DENX
Published: 9/23/2022
Last Modified: 11/3/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

denx : u-boot

Remediation Guidance

Executive Summary

Cite this page

CVE-2022-2347. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2022-2347

View on NIST NVD

CVE-2022-2347 vulnerability