Login Sign Up

CVE-2022-46663

7.5 HIGH

📋 TL;DR

This vulnerability in GNU Less allows crafted data to bypass ANSI escape sequence filtering when using the '-R' flag, potentially enabling terminal manipulation. It affects users who process untrusted files with 'less -R' or have it configured as their default pager. The impact is limited to terminal sessions where malicious content is displayed.

💻 Affected Systems

Products:
  • GNU Less
Versions: All versions before 609
Operating Systems: Linux, Unix-like systems, macOS, BSD variants
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using the '-R' flag (raw control characters) or when LESS environment variable includes 'R'. Many systems use 'less' as default pager without '-R'.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Less by Gnu

View all CVEs affecting Less →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could execute arbitrary commands in the user's terminal session by injecting malicious escape sequences, potentially leading to full terminal compromise, data theft, or lateral movement.

🟠

Likely Case

Terminal display corruption, unexpected behavior, or limited command injection depending on terminal emulator security features and user interaction.

🟢

If Mitigated

Minimal impact if users avoid processing untrusted files with 'less -R' or use updated versions with proper filtering.

🌐 Internet-Facing: LOW - Requires user interaction with malicious content and specific 'less -R' usage, not directly network-exploitable.
🏢 Internal Only: MEDIUM - Internal users processing untrusted files or logs with 'less -R' could be affected, especially in shared environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user to open a malicious file with 'less -R'. Proof of concept exists in security advisories showing escape sequence injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 609 and later

Vendor Advisory: http://www.greenwoodsoftware.com/less/news.609.html

Restart Required: No

Instructions:

1. Check current version: less --version
2. Update via package manager: sudo apt update && sudo apt install less (Debian/Ubuntu) or sudo yum update less (RHEL/CentOS)
3. Verify update: less --version should show 609 or higher
4. Recompile from source if needed using patched version from official site

🔧 Temporary Workarounds

Avoid less -R with untrusted files

all

Do not use 'less -R' when viewing files from untrusted sources. Use plain 'less' or other viewers.

Remove R from LESS environment variable

linux

Ensure LESS environment variable does not include 'R' flag to prevent automatic raw character processing.

unset LESS
export LESS="-X"

🧯 If You Can't Patch

  • Restrict file permissions to prevent untrusted users from creating files that might be viewed with less -R
  • Use alternative pager programs like 'more' or configure applications to use different pagers

🔍 How to Verify

Check if Vulnerable:

Run: less --version | head -1. If version is earlier than 609, system is vulnerable when using less -R.

Check Version:

less --version | head -1

Verify Fix Applied:

After update, run: less --version | head -1. Should show 609 or higher. Test with: echo -e '\033[31mtest\033[0m' | less -R - should display colored text without escape sequences visible.

📡 Detection & Monitoring

Log Indicators:

  • Unusual terminal escape sequences in files being viewed
  • Unexpected process execution following less usage

Network Indicators:

  • Not network exploitable - no direct network indicators

SIEM Query:

Process execution where command contains 'less -R' followed by suspicious child processes

📊 Metadata

CVE ID: CVE-2022-46663
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: February 7, 2023
Last Updated: March 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON