VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 17, 2022· Updated Apr 15, 2025

CVE-2022-21806

CVE-2022-21806

Description

A use-after-free vulnerability exists in the mips_collector appsrv_server functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted set of network packets can lead to remote code execution. The device is exposed to attacks from the network.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Anker Eufy Homebase 2's mips_collector allows remote code execution via crafted network packets.

Vulnerability

A use-after-free vulnerability exists in the mips_collector binary's appsrv_server functionality of Anker Eufy Homebase 2 version 2.1.8.5h [1]. The server binds on TCP port 5000 and processes messages from the cloud. A specially-crafted set of network packets can trigger a race condition (CWE-368) leading to a use-after-free condition.

Exploitation

An unauthenticated attacker with network access to the device can send a series of specially-crafted packets, such as repeatedly sending an invalid packet like bytearray(b'\xfe'), to trigger the vulnerability. No authentication or user interaction is required [1].

Impact

Successful exploitation yields remote code execution with high impact on confidentiality, integrity, and availability. The CVSSv3 score is 10.0 (Critical), with scope changed, indicating the attacker can fully compromise the device and potentially pivot to other network assets [1].

Mitigation

As of the publication date, no fix has been released. Users are advised to monitor vendor updates for a patched firmware version. The device is exposed to attacks from the network; isolating it from untrusted networks may reduce risk [1].

References
  1. TALOS-2022-1440 || Cisco Talos Intelligence Group

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Anker/Eufy Homebase 2llm-fuzzy2 versions
    = 2.1.8.5h+ 1 more
    • (no CPE)range: = 2.1.8.5h
    • (no CPE)range: 2.1.8.5h

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.