Login Sign Up

CVE-2022-29022

9.8 CRITICAL
Denial of Service Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in the razeraccessory driver of OpenRazer up to v3.3.0 allows attackers to cause a Denial of Service (DoS) and potentially escalate privileges by sending a crafted buffer to the matrix_custom_frame device. This affects systems using OpenRazer drivers for Razer peripherals on Linux.

💻 Affected Systems

Products:
  • OpenRazer
Versions: All versions up to v3.3.0
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with OpenRazer driver installed and loaded. Requires access to /sys/class/razer/matrix_custom_frame device file.

📦 What is this software?

Openrazer by Openrazer Project

View all CVEs affecting Openrazer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, complete system compromise, and persistent access.

🟠

Likely Case

Local Denial of Service (kernel panic/crash) and potential privilege escalation if exploited by a local attacker.

🟢

If Mitigated

No impact if driver is not loaded or system is patched.

🌐 Internet-Facing: LOW - Requires local access to the device file.
🏢 Internal Only: HIGH - Local attackers can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to the device file. Proof-of-concept code is available in public references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.3.1 and later

Vendor Advisory: https://github.com/openrazer/openrazer/pull/1790

Restart Required: Yes

Instructions:

1. Update OpenRazer to v3.3.1 or later. 2. Rebuild and reload the kernel module. 3. Reboot the system.

🔧 Temporary Workarounds

Remove device file permissions

linux

Remove write permissions from the vulnerable device file to prevent exploitation.

sudo chmod a-w /sys/class/razer/matrix_custom_frame

Unload OpenRazer driver

linux

Temporarily unload the vulnerable driver module.

sudo rmmod razeraccessory

🧯 If You Can't Patch

  • Restrict access to the device file to root only.
  • Disable or remove OpenRazer driver if not needed.

🔍 How to Verify

Check if Vulnerable:

Check if /sys/class/razer/matrix_custom_frame exists and OpenRazer version is ≤3.3.0.

Check Version:

dpkg -l openrazer-driver-dkms || rpm -q openrazer-driver-dkms || check installed version manually

Verify Fix Applied:

Verify OpenRazer version is ≥3.3.1 and device file has proper permissions.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • System crashes related to razeraccessory driver
  • Unusual access to /sys/class/razer/matrix_custom_frame

Network Indicators:

  • None - local exploitation only

SIEM Query:

process.name='razeraccessory' AND event.action='crash' OR file.path='/sys/class/razer/matrix_custom_frame' AND event.action='write'

📊 Metadata

CVE ID: CVE-2022-29022
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: May 20, 2022
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29022, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)