CVE-2022-23597

HIGH
Published Feb 1, 20224y ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Feb 1, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

Element Desktop is a Matrix client for desktop platforms with Element Web at its core. Element Desktop before 1.9.7 is vulnerable to a remote program execution bug with user interaction. The exploit is non-trivial and requires clicking on a malicious link, followed by another button click. To the best of our knowledge, the vulnerability has never been exploited in the wild. If you are using Element Desktop < 1.9.7, we recommend upgrading at your earliest convenience. If successfully exploited, the vulnerability allows an attacker to specify a file path of a binary on the victim's computer which then gets executed. Notably, the attacker does *not* have the ability to specify program arguments. However, in certain unspecified configurations, the attacker may be able to specify an URI instead of a file path which then gets handled using standard platform mechanisms. These may allow exploiting further vulnerabilities in those mechanisms, potentially leading to arbitrary code execution.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 1

VendorProductVersionRange
elementdesktop* <1.9.7

References 2

  • github.com https://github.com/vector-im/element-desktop/commit/89b1e39b801655e595337708d4319ba4313feafa
    PatchThird Party Advisory
  • github.com https://github.com/vector-im/element-desktop/security/advisories/GHSA-mjrg-9f8r-h3m7
    Third Party Advisory

Remediation

  • github.com https://github.com/vector-im/element-desktop/commit/89b1e39b801655e595337708d4319ba4313feafa
    PatchThird Party Advisory