CVE-2022-26507: Buffer Overflow
First published: Thu Apr 14 2022(Updated: )
** UNSUPPORTED WHEN ASSIGNED ** A heap-based buffer overflow exists in XML Decompression DecodeTreeBlock in AT&T Labs Xmill 0.7. A crafted input file can lead to remote code execution. This is not the same as any of: CVE-2021-21810, CVE-2021-21811, CVE-2021-21812, CVE-2021-21815, CVE-2021-21825, CVE-2021-21826, CVE-2021-21828, CVE-2021-21829, or CVE-2021-21830. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Att Xmill | =0.7 | |
| Schneider-electric Ecostruxure Control Expert | <15.1 | |
| Schneider-electric Ecostruxure Control Expert | =15.1 | |
| Schneider-electric Ecostruxure Process Expert | <2021 | |
| Schneider-electric Remoteconnect | ||
| Schneider-electric Scadapack 470 | ||
| Schneider-electric Scadapack 474 | ||
| Schneider-electric Scadapack 570 | ||
| Schneider-electric Scadapack 574 | ||
| Schneider-electric Scadapack 575 | ||
| All of | ||
| Any of | ||
| Schneider-electric Scadapack 470 | ||
| Schneider-electric Scadapack 474 | ||
| Schneider-electric Scadapack 570 | ||
| Schneider-electric Scadapack 574 | ||
| Schneider-electric Scadapack 575 | ||
| Schneider-electric Remoteconnect |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-26507?
CVE-2022-26507 is a heap-based buffer overflow vulnerability in XML Decompression DecodeTreeBlock in AT&T Labs Xmill 0.7, which can be exploited to achieve remote code execution.
What is the severity of CVE-2022-26507?
The severity of CVE-2022-26507 is critical, with a CVSS score of 9.8.
Which software products are affected by CVE-2022-26507?
The affected software products include Att Xmill 0.7, Schneider-electric Ecostruxure Control Expert (up to version 15.1), Schneider-electric Ecostruxure Process Expert (up to version 2021), and Schneider-electric Remoteconnect.
How can CVE-2022-26507 be exploited?
CVE-2022-26507 can be exploited by crafting a malicious input file to trigger the heap-based buffer overflow, which may result in remote code execution.
Is there a fix available for CVE-2022-26507?
At the moment, there is no fix available for CVE-2022-26507. It is advisable to follow the recommendations provided by the vendor or security advisories.
- collector/nvd-index
- agent/references
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/att
- canonical/att xmill
- version/att xmill/0.7
- vendor/schneider-electric
- canonical/schneider-electric ecostruxure control expert
- version/schneider-electric ecostruxure control expert/15.1
- canonical/schneider-electric ecostruxure process expert
- canonical/schneider-electric remoteconnect
- canonical/schneider-electric scadapack 470
- canonical/schneider-electric scadapack 474
- canonical/schneider-electric scadapack 570
- canonical/schneider-electric scadapack 574
- canonical/schneider-electric scadapack 575