CVE-2022-25987

Vulnerability

The vulnerability resides in the Intel(R) C++ Compiler Classic (part of Intel oneAPI Toolkits) before version 2021.6 for oneAPI Toolkits before version 2022.2 [1]. It involves improper handling of Unicode encoding in source code that is compiled by the compiler. This flaw can be triggered when a specially crafted source file containing malicious Unicode sequences is processed by the compiler.

Exploitation

An unauthenticated attacker can potentially achieve escalation of privilege via network access [1]. The attacker would need to supply a malicious source code file to the compiler (for example, by convincing a developer or build system to compile it). No authentication is required, but the attacker must be able to deliver the crafted file to the compilation process.

Impact

Successful exploitation could allow the attacker to escalate privileges, potentially leading to arbitrary code execution with the privileges of the compiler process or other system compromise. The specific impact is an elevation of privilege, which may result in disclosure of information, modification of data, or disruption of service [1].

Mitigation

Intel has released updated versions that fix this vulnerability: Intel(R) C++ Compiler Classic version 2021.6 or later for Intel(R) oneAPI Toolkits version 2022.2 or later [1]. Users should update to the latest versions. There is no known workaround. This CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.