CVE-2022-22938: 
NixOS vulnerability analysis and mitigation

A denial-of-service vulnerability (CVE-2022-22938) was discovered in VMware Workstation (16.x prior to 16.2.2) and Horizon Client for Windows (5.x prior to 5.5.3). The vulnerability exists in the Cortado ThinPrint component, specifically in the TrueType font parser. This issue was privately reported to VMware and was assigned a moderate severity rating with a CVSSv3 base score of 4.0 (VMware Advisory).

The vulnerability resides in the TrueType font parser component of the Cortado ThinPrint service. VMware has evaluated the severity of the issue to be in the Moderate severity range with a CVSSv3 base score of 4.0. The vulnerability specifically affects the font parsing mechanism used by the virtual printing feature (VMware Advisory).

When successfully exploited, this vulnerability can trigger a denial-of-service condition in the Thinprint service running on the host machine where VMware Workstation or Horizon Client for Windows is installed (VMware Advisory).

To remediate CVE-2022-22938, VMware has released patches that should be applied to affected systems. The fixed versions are Workstation 16.2.2 and Horizon Client for Windows 5.5.3. No workarounds are available for this vulnerability, making patch installation the only mitigation option (VMware Advisory).

VMware acknowledged Gabriel Durdiak, a former intern of Quarkslab, for reporting this issue (VMware Advisory).