In 2022, Microsoft disclosed a CVE for a 5400 RPM hard drive that could be crashed by playing Janet Jackson's 'Rhythm Nation.' This is not satire. This is security research.
Let me set the scene.
It’s 2022. A Microsoft engineer — presumably a very serious person doing very serious security work — files CVE-2022-38392. The vulnerability? Certain 5400 RPM OEM laptop hard drives will crash when exposed to a specific audio frequency.
The audio frequency in question is produced by Janet Jackson’s “Rhythm Nation” (1989).
I’ll give you a moment.
This isn’t theoretical. This is a thing that actually occurred in production. A major computer manufacturer discovered that playing “Rhythm Nation” near certain laptops caused them to crash — not just the laptop playing the song, but nearby laptops too. Proximity was all it took. Janet Jackson as an airborne denial-of-service vector.
The root cause is resonant frequency. The song contains audio components that match the natural resonant frequency of the hard drive platters in certain 5400 RPM drives. When the platters vibrate at their own resonant frequency, the read/write heads lose track, the drive freaks out, and the OS panics.
This is the acoustic equivalent of a wine glass shattering when an opera singer hits the right note — except instead of a wine glass, it’s your quarterly reports.
The fix, per the CVE, was a custom audio filter applied in the audio pipeline to notch out the offending frequency. They literally patched a Janet Jackson song.
There’s only one way to find out. Consider the link below a penetration test:
▶ Janet Jackson — Rhythm Nation (YouTube)
If your laptop crashes, you’re unpatched. If it doesn’t, you either have an SSD or you survived. Either way, you’re welcome.
Security researchers spend most of their time in the weeds — sifting through memory dumps, diffing binaries, tracing syscalls. And then there’s this: a bug that only manifests when a 1989 pop hit is within earshot of unpatched hardware.
It’s a reminder that attack surfaces are everywhere. We think in terms of network packets, malformed inputs, and privilege escalation chains. We don’t think in terms of music.
The threat model nobody wrote:
ATTACKER → plays song → hard drive crashes
IMPACT → data loss, DoS
VECTOR → acoustic / physical proximity
CVSS → somehow this got a real CVE numberThis is the beauty of bug hunting. The best bugs aren’t always hiding in obscure kernel code or a forgotten API endpoint. Sometimes they’re hiding in the vibration patterns of a rotating magnetic disk, waiting for someone to queue up the right playlist.
I like to imagine how this conversation went internally:
Engineer: “So I found a bug.”
Manager: “Great. What triggers it?”
Engineer: “Janet Jackson.”
Manager: “…the singer?”
Engineer: “Yes. ‘Rhythm Nation’ specifically.”
Manager: “I’m going to need you to write that up.”
And they did. They filed it with MITRE. It got a CVE number. It is now permanently enshrined in the National Vulnerability Database alongside SQL injection and buffer overflows. A pop song. In the NVD.
CVE-2022-38392 is funny, but it points at something genuinely important: the attack surface is always larger than you think.
Bugs have been found through:
The common thread? Developers built systems thinking about software. Attackers — and curious engineers — look at everything.
The best security mindset isn’t “what did I forget to sanitize?” It’s “what in my environment can be used against me that I haven’t even thought to consider?”
Sometimes the answer is Janet Jackson.
CVE-2022-38392 was disclosed by Microsoft in August 2022. The affected drives were specific 5400 RPM OEM models. The fix was an audio filter. Source: Sangfor Farsight Labs. This is real.