Vulnerability DatabaseCVE-2022-23318

CVE-2022-23318:
Linux Debian vulnerability analysis and mitigation

Overview

A heap-buffer-overflow vulnerability was discovered in pcf2bdf versions >= 1.05. The vulnerability allows an attacker to trigger unsafe memory access via a specially crafted PCF font file. This out-of-bound read may lead to an application crash, information disclosure via program memory, or other context-dependent impacts (NVD, MITRE).

Technical details

The vulnerability was identified in the main function of pcf2bdf.cc around line 852, where a heap buffer overflow occurs during the processing of PCF font files. When tested with address sanitization, the vulnerability manifests as a READ operation of size 40 bytes beyond the allocated buffer boundary. The issue was confirmed through fuzzing tests using AFL, which demonstrated that specially crafted input files could trigger a memory access violation (GitHub Issue).

Impact

The vulnerability can result in multiple adverse effects including application crashes, potential information disclosure through leaked program memory, and other context-dependent impacts. The out-of-bounds read access to memory could potentially expose sensitive information from the application's memory space (NVD).

Mitigation and workarounds

The vulnerability was fixed in version 1.07 released on February 23, 2022. Users are advised to upgrade to this version which specifically addresses CVE-2022-23318 by fixing the heap buffer overflow on invalid input PCF files (GitHub).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

7.1

Score

Published February 17, 2022

Severity HIGH

CNA Score N/A

Affected Technologies

Linux Debian
Echo

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 38.6

Exploitation Probability (EPSS) 0.2

Affected packages and libraries

pcf2bdf

Sources

NVD
Debian Security Tracker
- Debian 11 Severity LOWNo FixAdded at: Mar 28, 2022
- Debian 12 Severity LOWHas FixAdded at: Mar 03, 2022
- Debian 13 Severity LOWHas FixAdded at: Jun 11, 2023
- Debian 14 Severity LOWHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity HIGHHas FixAdded at: Nov 18, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Linux Debian vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-67726	HIGH	7.5	Linux Debian	python-tornado	No	No	Dec 12, 2025
CVE-2025-67725	HIGH	7.5	Linux Debian	python-tornado	No	No	Dec 12, 2025
CVE-2025-67724	MEDIUM	5.4	Linux Debian	python-tornado	No	No	Dec 12, 2025
CVE-2025-64702	MEDIUM	5.3	Syncthing	buf	No	Yes	Dec 11, 2025
CVE-2025-40345	N/A	N/A	Linux Debian	linux	No	Yes	Dec 12, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2022-23318: Linux Debian vulnerability analysis and mitigation