CVE-2022-37454
CRITICAL severity · CVSS 9.8 · Integer overflow
9.8CVSS CRITICAL
Summary
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)1%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658 ↗
Additional information
- NVD record
- https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658Patch
- https://csrc.nist.gov/projects/hash-functions/sha-3-projectAdvisory
- https://eprint.iacr.org/2023/331
- https://lists.debian.org/debian-lts-announce/2022/10/msg00041.htmlAdvisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00000.htmlAdvisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/Advisory
- https://mouha.be/sha-3-buffer-overflow/Advisory