Use-after-free vulnerability in Omron CX-Drive


CX-Drive provided by Omron Corporation contains a use-after-free vulnerability (CWE-416).

Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products

OMRON Corporation
  • CX-Drive V3.00 and earlier

To check the product names and versions, refer to the manual "CX-Drive Operation User's Manual (SBCE-375)" provided by the developer.

By having a user to open a specially crafted file, arbitrary code may be executed.

[Apply Workarounds]
Applying the following workarounds may mitigate the impact of this vulnerability.
For more information, refer to the information provided by the developer under [Vendor Status] section's [Status (Vulnerable)] page.
Vendor Information

OMRON Corporation
CWE (What is CWE?)

  1. Use After Free(CWE-416) [Other]
CVE (What is CVE?)

  1. CVE-2022-46282

  1. JVN : JVNVU#92689335
Revision History

  • [2022/12/20]
      Web page was published