CVE-2022-46338 - How a Keyboard LED Tool Could Leak All Your Keystrokes

Not all vulnerabilities make headlines, but some have serious privacy concerns hiding in unexpected places. CVE-2022-46338 is one of these. It affects g810-led .4.2, a tool to manage RGB lighting effects for Logitech Gx10 keyboards. This tool was meant to be cool, but a small mistake in its installation handed potential attackers a way to snoop on *all* your keystrokes, including passwords and other sensitive info.

In this post, I’ll walk you through what happened, show code snippets, and explain how this flaw could be exploited.

Quick Background

g810-led is an open source utility that lets users configure fancy RGB lighting patterns on Logitech keyboards such as the G810. It uses Linux’s udev system to allow normal (non-root) users to control the keyboard by changing the permissions on its device node.

But: in making things “convenient,” g810-led .4.2 went a little too far…

The Vulnerability: Overly Permissive udev Rule

When you install g810-led .4.2, it places a udev rule that sets the device files for supported Logitech keyboards to be world-readable and world-writable (mode 0666). Here’s the original udev rule:

# /lib/udev/rules.d/70-g810-led.rules

SUBSYSTEM=="hidraw", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="0666"

What does this do? Every time a compatible keyboard is plugged in, the /dev/hidrawX device node it uses gets permission 0666 (read/write by anyone). Normally, device files for keyboards are set with restricted permissions, so only privileged users or specific groups can access them.

Why is This Dangerous?

HID (Human Interface Device) devices like keyboards send raw traffic — that means *every single keypress* travels through this device file. If any process (even malware running as a low-privilege user) can read /dev/hidrawX, then it can:

Track user behavior and activity

This basically turns your system into a keylogger paradise.

Let’s see how simple it is to read raw keyboard traffic if you have access

#!/usr/bin/env python3

hidraw = "/dev/hidraw2"  # Use 'ls /dev/hidraw*' to figure out correct number!

with open(hidraw, "rb") as f:
    while True:
        data = f.read(8)
        print(data)

If you have permission, this script just dumps HID packets from the keyboard. With a mapping table, anyone can decode this raw traffic into readable keystrokes (see this example for details).

Normal user or malware compromises any regular user account

2. That user, thanks to the udev rule, can open /dev/hidrawX in read mode

Sensitive data like passwords, messages, and credit card numbers are intercepted

No root, no tricks, no need to install kernel modules — this is as easy as cat /dev/hidrawX.

Fix and Mitigation

MatMoul, the upstream maintainer, tracked this as #214 and issued a patch in December 2022. The fixed udev rule restricts access to users in the g810-led group:

MODE="066", GROUP="g810-led"

Or, edit the udev rule to restrict device node access to a specific user group, not all users

- Remove world-readable permissions from /dev/hidraw* if no longer needed

References

- CVE-2022-46338 Official Page
- g810-led commit fixing permissions
- g810-led Issue Tracker #214
- How to decode HID raw traffic on Linux

Summary

CVE-2022-46338 is a great example of how a feature meant to help users can wind up compromising everyone’s security. By being too generous with permissions on keyboard devices, g810-led unintentionally created a keylogging hole wide open to any local process.

Takeaway: If you use extra software to manage your hardware, always check what permissions it applies — and keep everything up to date.

Timeline

Published on: 11/30/2022 06:15:00 UTC
Last modified on: 12/06/2022 19:27:00 UTC