CVE-2022-46149

CVE-2022-46149 is a medium-severity out-of-bounds read vulnerability in capnp (rust), affecting versions >= 0.15.0, < 0.15.2. It is fixed in 0.15.2, 0.14.11, 0.13.7.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Cap'n Proto and its Rust implementation vulnerable to out-of-bounds read due to logic error handling list-of-list

The Cap'n Proto library and capnp Rust package are vulnerable to out-of-bounds read due to logic error handling list-of-list. If a message consumer expects data of type "list of pointers", and if the consumer performs certain specific actions on such data, then a message producer can cause the consumer to read out-of-bounds memory. This could trigger a process crash in the consumer, or in some cases could allow exfiltration of private in-memory data.

Impact
  • Remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type.
  • Possible exfiltration of memory, if the victim performs additional certain actions on a list-of-pointer type.
  • To be vulnerable, an application must perform a specific sequence of actions, described below. At present, we are not aware of any vulnerable application, but we advise updating regardless.
Fixed in

Unfortunately, the bug is present in inlined code, therefore the fix will require rebuilding dependent applications.

C++ fix:

Rust fix:

  • capnp crate version 0.15.2, 0.14.11, or 0.13.7
Details

A specially-crafted pointer could escape bounds checking by exploiting inconsistent handling of pointers when a list-of-structs is downgraded to a list-of-pointers.

For an in-depth explanation of how this bug works, see David Renshaw's blog post. This details below focus only on determining whether an application is vulnerable.

In order to be vulnerable, an application must have certain properties.

First, the application must accept messages with a schema in which a field has list-of-pointer type. This includes List(Text), List(Data), List(List(T)), or List(C) where C is an interface type. In the following discussion, we will assume this field is named foo.

Second, the application must accept a message of this schema from a malicious source, where the attacker can maliciously encode the pointer representing the field foo.

Third, the application must call getFoo() to obtain a List<T>::Reader for the field, and then use it in one of the following two ways:

  1. Pass it as the parameter to another message's setFoo(), thus copying the field into a new message. Note that copying the parent struct as a whole will not trigger the bug; the bug only occurs if the specific field foo is get/set on its own.

  2. Convert it into AnyList::Reader, and then attempt to access it through that. This is much less likely; very few apps use the AnyList API.

The dynamic API equivalents of these actions (capnp/dynamic.h) are also affected.

If the application does these steps, the attacker may be able to cause the Cap'n Proto implementation to read beyond the end of the message. This could induce a segmentation fault. Or, worse, data that happened to be in memory immediately after the message might be returned as if it were part of the message. In the latter case, if the application then forwards that data back to the attacker or sends it to another third party, this could result in exfiltration of secrets.

Any exfiltration of data would have the following limitations:

  • The attacker could exfiltrate no more than 512 KiB of memory immediately following the message buffer.
    • The attacker chooses in advance how far past the end of the message to read.
    • The attacker's message itself must be larger than the exfiltrated data. Note that a sufficiently large message buffer will likely be allocated using mmap() in which case the attack will likely segfault.
  • The attack can only work if the 8 bytes immediately following the exfiltrated data contains a valid in-bounds Cap'n Proto pointer. The easiest way to achieve this is if the pointer is null, i.e. 8 bytes of zero.
    • The attacker must specify exactly how much data to exfiltrate, so must guess exactly where such a valid pointer will exist.
    • If the exfiltrated data is not followed by a valid pointer, the attack will throw an exception. If an application has chosen to ignore exceptions (e.g. by compiling with -fno-exceptions and not registering an alternative exception callback) then the attack may be able to proceed anyway.

Impact

A read operation accesses a memory location beyond the intended buffer boundary. Typical impact: sensitive data disclosure or crash.

CVE-2022-46149 has a CVSS score of 5.4 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.15.2, 0.14.11, 0.13.7); upgrading removes the vulnerable code path.

Affected versions

capnp (>= 0.15.0, < 0.15.2) capnp (>= 0.14.0, < 0.14.11) capnp (< 0.13.7)

Security releases

capnp → 0.15.2 (rust) capnp → 0.14.11 (rust) capnp → 0.13.7 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade the following packages to resolve this vulnerability:

capnp to 0.15.2 or later; capnp to 0.14.11 or later; capnp to 0.13.7 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2022-46149? CVE-2022-46149 is a medium-severity out-of-bounds read vulnerability in capnp (rust), affecting versions >= 0.15.0, < 0.15.2. It is fixed in 0.15.2, 0.14.11, 0.13.7. A read operation accesses a memory location beyond the intended buffer boundary.
  2. How severe is CVE-2022-46149? CVE-2022-46149 has a CVSS score of 5.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of capnp are affected by CVE-2022-46149? capnp (rust) versions >= 0.15.0, < 0.15.2 is affected.
  4. Is there a fix for CVE-2022-46149? Yes. CVE-2022-46149 is fixed in 0.15.2, 0.14.11, 0.13.7. Upgrade to this version or later.
  5. Is CVE-2022-46149 exploitable, and should I be worried? Whether CVE-2022-46149 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2022-46149 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2022-46149?
    • Upgrade capnp to 0.15.2 or later
    • Upgrade capnp to 0.14.11 or later
    • Upgrade capnp to 0.13.7 or later

Other vulnerabilities in capnp

Stop the waste.
Protect your environment with Kodem.