Critical severityNVD Advisory· Published Apr 7, 2022· Updated Aug 3, 2024

CVE-2022-27818

Description

SWHKD 1.1.5 unsafely uses the /tmp/swhkd.sock pathname. There can be an information leak or denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SWHKD 1.1.5 uses an unsafe hardcoded /tmp/swhkd.sock path, allowing local information leak or denial of service.

Vulnerability

SWHKD versions 1.1.5 and earlier use a hardcoded UNIX socket path /tmp/swhkd.sock for inter-process communication between the unprivileged swhks server and the privileged swhkd daemon [1][4]. Because the socket resides in a world-writable directory, any local user can create a symbolic link or pre-create the socket file before the daemon starts, leading to a classic TOCTOU (time-of-check time-of-use) race condition or symlink attack. The affected versions are those prior to the 1.2.0 release [4].

Exploitation

A local attacker without special privileges needs only the ability to create files in /tmp. By predicting when swhkd will start and creating a symlink at /tmp/swhkd.sock pointing to an arbitrary file (e.g., another user’s sensitive file), the attacker can trick the daemon into leaking information or causing a denial of service when the server attempts to connect or write to the socket [1]. The attack does not require user interaction with the hotkey daemon itself.

Impact

Successful exploitation can lead to local information disclosure (reading sensitive data from files the attacker would not normally have access to) or a denial of service by causing the daemon to fail or crash [1][4]. The attacker does not gain privilege escalation; the compromise is limited to the file permissions of the targeted file or the stability of the swhkd service.

Mitigation

SWHKD version 1.2.0, released in April 2022, fixes this issue by moving the socket to a secure location (using $XDG_RUNTIME_DIR or a similar user-specific path) [4]. Users should update to swhkd 1.2.0 or later. No workaround is available for earlier versions other than ensuring that the system’s /tmp is cleared on reboot and that only trusted users have local access.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Simple-Wayland-HotKey-Daemoncrates.io	< 1.2.0	1.2.0

Affected products

SWHKD/SWHKDdescription
ghsa-coords
pkg:cargo/simple-wayland-hotkey-daemon
Range: < 1.2.0

Patches

f70b99dd575f

[patch] CVE-2022-27818

https://github.com/waycrate/swhkdShinyzenithMar 25, 2022via ghsa

commit

2 files changed · +7 −9

src/daemon.rs+5 −8 modified

@@ -94,11 +94,6 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
 
         log::debug!("Using config file path: {:#?}", config_file_path);
 
-        if !config_file_path.exists() {
-            log::error!("{:#?} doesn't exist", config_file_path);
-            exit(1);
-        }
-
         let hotkeys = match config::load(&config_file_path) {
             Err(e) => {
                 log::error!("Config Error: {}", e);
@@ -319,7 +314,9 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
 }
 
 fn sock_send(command: &str) -> std::io::Result<()> {
-    let mut stream = UnixStream::connect("/tmp/swhkd.sock")?;
+    let sock_file_path =
+        String::from(format!("/run/user/{}/swhkd.sock", env::var("PKEXEC_UID").unwrap()));
+    let mut stream = UnixStream::connect(sock_file_path)?;
     stream.write_all(command.as_bytes())?;
     Ok(())
 }
@@ -402,11 +399,11 @@ pub fn fetch_xdg_config_path() -> std::path::PathBuf {
 }
 
 pub fn seteuid(uid: u32) {
-    let uid = nix::unistd::Uid::from_raw(uid);
+    let uid = Uid::from_raw(uid);
     match nix::unistd::seteuid(uid) {
         Ok(_) => log::debug!("Dropping privileges..."),
         Err(e) => {
-            log::error!("Failed to set UID: {:#?}", e);
+            log::error!("Failed to set EUID: {:#?}", e);
             exit(1);
         }
     }

src/server.rs+2 −1 modified

@@ -1,3 +1,4 @@
+use nix::unistd;
 use std::io::prelude::*;
 use std::os::unix::net::UnixListener;
 use std::{
@@ -12,7 +13,7 @@ fn main() -> std::io::Result<()> {
     env_logger::init();
 
     let pid_file_path = String::from("/tmp/swhks.pid");
-    let sock_file_path = String::from("/tmp/swhkd.sock");
+    let sock_file_path = String::from(format!("/run/user/{}/swhkd.sock", unistd::Uid::current()));
 
     if Path::new(&pid_file_path).exists() {
         log::trace!("Reading {} file and checking for running instances.", pid_file_path);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-r3r5-jhw6-4634ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-27818ghsaADVISORY
www.openwall.com/lists/oss-security/2022/04/14/1ghsamailing-listx_refsource_MLISTWEB
github.com/waycrate/swhkd/commit/f70b99dd575fab79d8a942111a6980431f006818ghsax_refsource_MISCWEB
github.com/waycrate/swhkd/releases/tag/1.2.0ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000