Recently I read about CVE‑2022‑38392, a physical-layer DoS vulnerability where Janet Jackson’s Rhythm Nation could crash laptops by matching the resonant frequency of legacy hard drives.
It’s weird, it’s quirky, impossible not to talk about it.
Meet CVE-2022‑38392 #
A major laptop manufacturer found that playing Rhythm Nation could crash not just the laptop it played on, but other nearby laptops as well. Why? Because a specific frequency in the song resonated with a vulnerable component in certain 5400 RPM laptop hard drives.
The attack didn’t need malware. It didn’t need root access. All it needed was… Playing Janet Jackson.
Official sources:
- https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=106994
- https://www.youtube.com/watch?v=nSvu9IDUjZw&t=416s
- https://www.seagate.com/support/security/
How this vulnerability works #
Inside every spinning hard drive, the platters rotate at thousands of RPMs (Revolutions per minute). In this case, 5400 RPM. Those platters are mounted on spindles, and the read/write head floats nanometers above the surface.
Like any mechanical system, these components have resonant frequencies — specific tones that, when hit just right, cause them to vibrate uncontrollably. It’s the same principle that makes a wine glass shatter when an opera singer hits the right pitch. It’s not about strength, it’s about frequency.
In this case, Rhythm Nation contained a frequency that aligned almost perfectly with the mechanical resonance of the drive’s platter assembly. When the song played at a loud enough volume, the vibration passed through the laptop’s chassis, shook the platter, and destabilized the read/write head. The result: the drive couldn’t read or write properly, and the system either froze, crashed, or bluescreened.
Even laptops not playing the song but sitting nearby — same make, same drive — were vulnerable.
CVE Breakdown #
- ID: CVE-2022-38392
- Type: Denial-of-Service (DoS)
- Trigger: Audio resonance (sound waves)
- Attack Vector: Physical
- Affected: Certain 5400 RPM HDDs in old laptops (~2005)
- Impact: System crash, no persistence
- CVSS: 5.3 (Medium)
- Mitigation: OEMs added filters to block dangerous frequencies
A 1989 threat categorized in 2022: A thing or two learned about how CVEs work #
CVE IDs reflect the date of disclosure, not the date the vulnerability began existing. In this case:
-
The song was released in 1989
1989
-
The vulnerable laptops shipped around 2005
2005
-
The CVE was assigned in 2022
2022
To my understanding, the vulnerability always existed, but it wasn’t until 2022 when Raymond Chen (a Microsoft engineer) casually told the story on his blog:
Original post in Aug 16th, 2022: “Janet Jackson had the power to crash laptop computers” - https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=106994
The comments are also fun to read through too:
And that’s when it got public traction,
“Wait… this is a legit physical DoS. It affected multiple systems. There was a real mitigation. That’s CVE-worthy.”
And MITRE formally assigned CVE-2022-38392.
Philosophy #
This story is hilarious but it’s also profound.
It reminds us:
- Not all vulnerabilities are digital.
- Not all threats come from code.
- Some are physical. Analog. Side-channel. Completely unexpected.
- And some sit unnoticed for years until someone shines a light.
CVE-2022-38392 is a real vulnerability, but also a powerful metaphor. For me, it’s a parable about observation, time, and the strange bridge between physics and software (Yes, “mind is matter”, “software is physics”, but…), and how much we don’t know, or haven’t named yet.
It’s kind of like the gut–brain axis. For years, we had hints: food affects mood, antibiotics change behavior. But without a framework, it was folklore.
Then someone gave it structure. Built experiments. Assigned names. Published papers.
Now we say: “the microbiome regulates serotonin production” and it sounds obvious now.
CVE-2022-38392 is the same. The vulnerability existed. It even had a mitigation. But until someone blogged about it, wrote it down, and sent it to the right place, the system didn’t see it.
Reality isn’t defined by what’s happening — it’s defined by what we’re ready to recognize. But anyways, this isn’t a philosophy site..
Final thoughts #
Sure, this threat isn’t relevant now. But it reminds us that vulnerabilities aren’t always digital. Some threats like this come from physics and environment (And pop culture 😜). It’s crazy to think how the physical world can be a factor in Cybersecurity. We have cold boot attacks, compromising electromagnetic emanations in keyboards among others, but this one really stood out for me for its quirky nature.
