VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 19, 2024· Updated Mar 27, 2025

CVE-2022-48624

CVE-2022-48624

Description

In less before 606, close_altfile omits shell_quote calls for filenames when invoking LESSCLOSE, enabling command injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In less before 606, close_altfile omits shell_quote calls for filenames when invoking LESSCLOSE, enabling command injection.

Vulnerability

The vulnerability resides in the close_altfile function in filename.c of less. Prior to version 606, the function fails to call shell_quote on filenames when constructing the command to execute the LESSCLOSE environment variable. This allows an attacker to inject arbitrary shell commands via a crafted filename. Affected versions are less before 606 [2].

Exploitation

An attacker must be able to supply a filename that less will process, for example by placing a file with a malicious name in a directory that a victim opens with less. No authentication is required if the attacker can control the filename. When less closes the file, it invokes the LESSCLOSE command with the unsanitized filename and altfilename, leading to command injection [3].

Impact

Successful exploitation allows arbitrary command execution with the privileges of the user running less. This can result in full system compromise, depending on the user's permissions.

Mitigation

The issue is fixed in less version 606, released in June 2022 [2]. Users should upgrade to version 606 or later. No workaround is available other than avoiding the use of LESSCLOSE or ensuring all filenames are trusted. This CVE is not listed on the CISA Known Exploited Vulnerabilities catalog as of publication.

References
  1. Comparing v605...v606 · gwsw/less
  2. Shell-quote filenames when invoking LESSCLOSE. · gwsw/less@c6ac6de

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

27

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The close_altfile function in filename.c omits shell_quote calls for the LESSCLOSE variable, allowing shell metacharacters in filenames to be interpreted."

Attack vector

An attacker can craft a filename containing shell metacharacters, such as backticks or semicolons. When this filename is processed by the less utility, and the LESSCLOSE environment variable is set to a command, these metacharacters can be interpreted by the shell, leading to arbitrary command execution [ref_id=1]. This occurs when the close_altfile function is invoked with such a specially crafted filename.

Affected code

The vulnerability resides in the close_altfile function within the filename.c file. Specifically, lines around 986-991 in the original code did not properly quote filenames passed to the LESSCLOSE command. The patch modifies this section by adding calls to shell_quote for filename and altfilename before they are incorporated into the command string [ref_id=1].

What the fix does

The patch introduces calls to shell_quote for both filename and altfilename before they are used in the SNPRINTF2 macro within the close_altfile function [ref_id=1]. This ensures that any shell metacharacters present in the filenames are properly escaped, preventing them from being interpreted by the shell when the LESSCLOSE command is executed. Consequently, arbitrary command execution is no longer possible.

Preconditions

  • inputThe filename or altfilename must contain shell metacharacters.
  • configThe LESSCLOSE environment variable must be set to a command that utilizes the filename or altfilename arguments.

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.