KEV 2022

Linux Kernel cgroups v1 — release_agent Container Escape and Local Privilege Escalation

Cisco SD-WAN CLI — Relative Path Traversal to Root, Re-Weaponised by UAT-8616 via Deliberate Firmware Downgrade in 2026 Campaign

Apple iOS/macOS/Safari/tvOS/watchOS — JavaScriptCore Processing of Malicious Web Content Leads to Code Execution; Fixed iOS 15.6 (July 2022); NVD Published 13 Months Later

D-Link DNR-322L Cloud NVR — Authenticated Attacker Executes OS Commands via Unsigned Firmware Download; EoL Device; No Patch Available; KEV Added August 2025

Pentaho BA Server — Authenticated Spring Template Injection via Properties Files Enables Arbitrary Command Execution; Chained with CVE-2022-43939 for Unauthenticated RCE; Fixed 9.4.0.1/9.3.0.2

Pentaho BA Server — Non-Canonical URL Path Bypasses Authorization Checks; Chained with CVE-2022-43769 (Spring Template Injection) for Unauthenticated RCE; Fixed 9.4.0.1/9.3.0.2

Audinate Dante Discovery — mDNSResponder.exe DLL Sideloading Enables Local Code Execution; Bundled with Third-Party AV Products; KEV Added February 2025

Linux Kernel — fsconfig Integer Underflow Allows Heap Overflow and Privilege Escalation via User Namespaces

Microsoft Windows Print Spooler — JavaScript Constraints File Modification Enabling SYSTEM Privilege Escalation (GooseEgg)

Apple iOS/macOS/tvOS/watchOS — Kernel TOCTOU Race Condition Bypasses Pointer Authentication (PAC); Fixed iOS 16.2 (December 2022); NVD Published 13 Months Later

Qualcomm Snapdragon Chipsets — Local Privilege Escalation via Use-After-Free in Kernel During Process Init

Google Chromium Network Service — Use-After-Free Enabling Heap Corruption via Crafted Web Content

Arm Mali GPU Kernel Driver — Use-After-Free Allowing Non-Privileged Root Escalation on Android Devices

Apache Spark — Command Injection via UI Authentication Filter Enabling OS Command Execution

Arm Mali GPU Kernel Driver — Write-to-Read-Only Memory Pages Enabling Android Privilege Escalation

ZK Framework AuUploader — Path Traversal Enabling File Disclosure, Exploited via ConnectWise R1Soft to Deploy Ransomware

TerraMaster TOS — Unauthenticated RCE via Missing Authentication in API Endpoint; Exploited by DeadBolt Ransomware for NAS Encryption; Fixed TOS 4.2.30

Microsoft Exchange Server — OWA SSRF Enables Privilege Escalation (OWASSRF Chain with CVE-2022-41082 for RCE); Exploited by Play Ransomware; KEV Added January 2023

Apple iOS/iPadOS — WebKit Type Confusion in Maliciously Crafted Web Content Leads to Code Execution on Older Devices; December 2022 Zero-Day; KEV Added 1 Day Before NVD Publication

Veeam Backup & Replication Distribution Service — Unauthenticated API Access Enabling Remote Code Execution

Google Chrome/Chromium V8 — Type Confusion Enables Heap Corruption via Crafted HTML Page; December 2022 Zero-Day (9th Chrome Zero-Day of 2022); Fixed Chrome 108.0.5359.94

Windows JScript9 — Out-of-Bounds Write in Internet Explorer's JavaScript Engine via Malicious Web Content; November 2022 Zero-Day; Exploited by North Korean APT37

Windows Print Spooler — Local Privilege Escalation to SYSTEM; November 2022 Patch Tuesday Zero-Day; Ransomware Use Confirmed; KEV Added Day Before NVD Publication

Windows CNG Key Isolation Service — Out-of-Bounds Write in Cryptographic Key Management Service Grants SYSTEM Privileges; November 2022 Zero-Day

Google Chrome/Chromium V8 — Type Confusion Enables Heap Corruption via Crafted HTML; October 2022 Zero-Day; Discovered by Avast Threat Intelligence; Fixed Chrome 107.0.5304.87

Apple iOS and iPadOS — Kernel Out-of-Bounds Write Enabling Local Privilege Escalation to Kernel

Microsoft Windows COM+ Event System Service — Type Confusion Enabling Local SYSTEM Privilege Escalation

Atlassian Bitbucket Server and Data Center — Authenticated Command Injection via Repository Archive API Endpoints

Microsoft Exchange Server — Authenticated SSRF as First Stage of ProxyNotShell RCE Chain

Microsoft Exchange Server — Authenticated RCE via PowerShell Deserialization as Second Stage of ProxyNotShell

Apple iOS, iPadOS, and macOS — Kernel Out-of-Bounds Write Enabling Application Code Execution with Kernel Privileges

Microsoft Windows CLFS Driver — Out-of-Bounds Write Enabling SYSTEM Privilege Escalation, Exploited by Nokoyawa Ransomware

Trend Micro Apex One — Admin-Accessible Rollback Mechanism Executes Attacker-Crafted Component on Server; Zero-Day Added to KEV Before CVE Publication

WebRTC — Heap Buffer Overflow in RTCP Parsing Exploited by Candiru Spyware for Chrome Zero-Day

Microsoft Active Directory Certificate Services — Certifried: Certificate-Based Domain Privilege Escalation to SYSTEM

Apple WebKit — Out-of-Bounds Write Enabling Remote Code Execution via Malicious Web Content

Palo Alto Networks PAN-OS — URL Filtering Misconfiguration Enables TCP Reflected Amplification DDoS Against Third Parties

Microsoft Windows Runtime — Local RCE via Uninitialized Pointer When Opening Crafted File

Apple iOS and macOS Kernel — Out-of-Bounds Write Enabling Application Code Execution with Kernel Privileges

Microsoft Windows MSDT — DogWalk: Path Traversal Enabling RCE via Malicious .diagcab File

RARLAB UnRAR — Path Traversal on Linux/Unix Exploited via Zimbra to Achieve Unauthenticated RCE

Zimbra Collaboration Suite — CRLF Injection in Memcache Enabling Cleartext Credential Theft Without Authentication

Zimbra Collaboration Suite — Arbitrary File Upload via mboximport, Enabling RCE When Chained with Auth Bypass (CVE-2022-37042)

Microsoft Windows LSA — PetitPotam-style NTLM Relay to AD CS Enabling Domain Controller Takeover

Microsoft Windows CSRSS — Zero-Day Local Privilege Escalation to SYSTEM via Untrusted Search Path

Microsoft Windows 'Follina' — MSDT URL Handler Invoked by Office Documents Allows Code Execution Without Macros

Google Chrome / Chromium — Zero-Day V8 JavaScript Engine Type Confusion; 4th Chrome 0-day of 2022

WatchGuard Firebox and XTM — Unprivileged Management Session Escalation Exploited by Sandworm for Cyclops Blink Botnet

Linux Kernel 'Dirty Pipe' — Uninitialized Pipe Buffer Flag Permits Page Cache Overwrite for Local Privilege Escalation

Microsoft Windows Print Spooler — Privilege Escalation to SYSTEM via Print Spooler Service Flaw

VMware Workspace ONE Access, Identity Manager, vRealize Automation — Improper Permissions in Support Scripts Enabling Root Escalation

Microsoft Windows CLFS Driver — Zero-Day Privilege Escalation Exploited by Ransomware Operators Before April 2022 Patch

Apple macOS AppleAVD — Out-of-Bounds Write in Audio/Video Decoder Enabling Kernel Code Execution

Microsoft Windows User Profile Service — Local Privilege Escalation via Symbolic Link Abuse

Microsoft Windows User Profile Service — Race Condition Enabling Local SYSTEM Privilege Escalation

Google Chrome / Chromium — Zero-Day V8 JavaScript Engine Type Confusion; 3rd Chrome 0-day of 2022

Mozilla Firefox/Firefox ESR/Thunderbird — XSLT Parameter Processing Use-After-Free; March 2022 Zero-Day; KEV Added 9 Months Before NVD Publication

Microsoft Windows Print Spooler — Local Privilege Escalation via Path Traversal; Post-PrintNightmare Spooler Chain

Google Chrome / Chromium — Zero-Day UAF in Animation Engine; Attributed to North Korean APT Targeting Crypto Sector

Apple WebKit — Zero-Day UAF in Web Content Parser Enables RCE on iOS, iPadOS, and macOS

Microsoft Windows Win32k — Local Privilege Escalation to SYSTEM via Kernel Driver Out-of-Bounds Write