CVE-2022-26073

Vulnerability

The vulnerability resides in the libxm_av.so library, specifically in the DemuxCmdInBuffer function accessed via the WifiComRecv_Pth server thread that listens on TCP port 32295. An integer overflow (CWE-190) occurs when processing a specially-crafted set of network packets. Affected devices are Anker Eufy Homebase 2 running firmware version 2.1.8.5h [1]. No authentication is required, as the code path relies on getpeermac() for device identification but not for access control [1].

Exploitation

An attacker needs to be on the same local area network as the targeted Homebase 2 device. By sending a sequence of crafted network packets to TCP port 32295, the attacker can trigger the integer overflow in the DemuxCmdInBuffer function. No authentication or user interaction is required [1]. The exact packet structure is not publicly detailed but is described as 'specially-crafted' by the vendor advisory.

Impact

Successful exploitation causes a denial of service condition resulting in a device reboot. The attack has no impact on confidentiality or integrity; the only impact is on availability (High). The CVSSv3 score is 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) [1].

Mitigation

As of the publication date (2022-05-05), no firmware update had been released by Anker Eufy. The vendor was notified and confirmed the vulnerability [1]. Users should monitor vendor channels for an updated firmware version. If available, apply the patch promptly. No workaround is provided in the available references [1].