Canon Group
Close Close
Menu Menu Close Close Search

Regarding vulnerability measure against buffer overflow for Laser Printers/Inkjet Printer and Small Office Multifunction Printers

16th February 2022

Multiple cases of buffer overflow vulnerabilities have been confirmed for Canon Laser Printers/Inkjet Printer and Small Office Multifunction Printers (Refer to affected models shown below).

 (CVE-2022-24672、CVE-2022-24673、CVE-2022-24674)

This vulnerability suggest the possibility that if a product is connected directly to the Internet without using a wired or Wi-Fi router, a third party on the Internet may execute arbitrary code or the product could be subjected to Denial-of Service (DoS) attack.

We have not received any report of damage up to date.

For the safety of your products, please update the firmware of the affected products to the latest version.

At the same time, do not connect directly to the Internet. Instead, set a private IP address on a secure private network configured via firewall product or a wired/Wi-Fi router.

For details, please refer to the following link
“Regarding security for products connected to a network”
https://psirt.canon/hardening/

We will work to further strengthen security measures to ensure that customers can continue using Canon products with peace of mind.

The Laser Printer/Inkjet Printer and Small Office Multifunction Printers, which require the countermeasure
MF6180DW
MF8580CDW
MF810CDN
MF729CX
LBP251DW/253X
MF416DW/419X
MF515X
LBP654CX
MF735CX
LBP215X
MF426DW/429X
MF525X
LBP664CX
C1127iF
MF746CX
iR1643iF
LBP223DW/228X
MF445DW/449X
MF543X
MF1643iF II
WG7650

As soon as we confirm the vulnerability of other products, we will inform you immediately on this page.

Firmware for the Small Office Multifunction & Laser Printers:

Download from here


CANON would like to thank the following people for identifying this vulnerability.
• CVE-2022-24672: Mehdi Talbi (@abu_y0ussef), Remi Jullian (@netsecurity1), Thomas Jeunet (@cleptho), from @Synacktiv working with Trend Micro's Zero Day Initiative
• CVE-2022-24673: Angelboy (@scwuaptx) from DEVCORE Research Team working with Trend Micro's Zero Day Initiative
• CVE-2022-24674: Nicolas Devillers (@nikaiw), Jean-Romain Garnier and Raphael Rigo (@_trou_) working with Trend Micro's Zero Day Initiative

Share this page