CVE-2022-26917

FAQ

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

In what scenarios is my computer vulnerable?

For Windows 11 and Windows 10 the FAX service is not installed by default. For the vulnerability to be exploitable, the Windows Fax and Scan feature needs to be enabled, and the Fax service needs to be running. Systems that do not have the Fax service running are not vulnerable.

How can I verify whether the Fax service is running?

1. Hold the Windows key and press R on your keyboard. This will open the Run dialog.
2. Type services.msc and press Enter to open the Services window.
3. Scroll through the list and locate the Fax service.
   • If the Fax service is not listed, Windows Fax and Scan is not enabled and the system is not vulnerable.
   • If the Fax service is listed but the status is not Running, then the system is not vulnerable at the time, but could be targeted if the service was started. The update should be installed as soon as possible or the Fax service should be removed if not needed.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of the vulnerability requires that a user import a specially crafted contact record and then send it a FAX.