CVE-2022-46663
Description
GNU Less before version 609 improperly filters ANSI escape sequences when using -R, allowing crafted input to cause denial of service via terminal state machine bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GNU Less before version 609 improperly filters ANSI escape sequences when using `-R`, allowing crafted input to cause denial of service via terminal state machine bypass.
Vulnerability
In GNU Less versions 566 through 608 (the latest public release before 609), the -R option intended to pass through raw ANSI escape sequences for proper rendering fails to correctly handle terminal state machine transitions. This allows crafted data to inject escape sequences that bypass the intended filtering. The issue affects less downstream packages, such as sys-apps/less on Gentoo before version 608-r2 [4]. The fix commit a78e1351113cef564d790a730d657a321624d79c [1][2] has been applied upstream but was not part of any formal release at the time of disclosure.
Exploitation
An attacker can craft a file containing specially designed escape sequences that exploit the incomplete state machine handling. For example, executing printf "\e]8;;\e0m\e[>0q" > less-example-xtversion; less -R less-example-xtversion triggers a response from the terminal (e.g., xterm or iTerm2) that causes Less to repeatedly scroll and print output, leading to a denial-of-service condition [1][2]. No special privileges or user interaction beyond opening the crafted file in Less with -R is required.
Impact
Successful exploitation results in denial of service: the terminal may be flooded with repeated scrolling and output, consuming system resources and rendering the terminal session unusable. Depending on the terminal emulator, the attack could also clear the terminal screen or manipulate displayed content, potentially tricking the user into seeing misleading information [4]. The vulnerability does not appear to allow arbitrary code execution or persistent data compromise.
Mitigation
A fix has been committed to the upstream Less repository (commit a78e1351113cef564d790a730d657a321624d79c) but not yet released in a stable version [1][2]. As a workaround, users should avoid using the -R option when viewing untrusted files, or upgrade to the patched version when available. Distribution-specific updates may be provided; for example, Gentoo has released version 608-r2 as the unaffected version [4]. No workarounds other than not using -R with untrusted input are known at this time.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- osv-coords6 versionspkg:rpm/almalinux/lesspkg:rpm/opensuse/less&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/less&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/less&distro=openSUSE%20Tumbleweedpkg:rpm/suse/less&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/less&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4
< 590-2.el9_2+ 5 more
- (no CPE)range: < 590-2.el9_2
- (no CPE)range: < 590-150400.3.3.1
- (no CPE)range: < 590-150400.3.3.1
- (no CPE)range: < 608-2.1
- (no CPE)range: < 590-150400.3.3.1
- (no CPE)range: < 590-150400.3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LR7AUWB34JD4PCW3HHASBEDGGHFWPAQP/mitrevendor-advisory
- security.gentoo.org/glsa/202310-11mitrevendor-advisory
- www.openwall.com/lists/oss-security/2023/02/07/7mitremailing-list
- www.greenwoodsoftware.com/less/news.609.htmlmitre
- github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79cmitre
- www.openwall.com/lists/oss-security/2023/02/07/7mitre
News mentions
0No linked articles in our index yet.