CVE-2022-23884

CRITICAL

Mojang Bedrock Dedicated Server <1.18.2 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-23884. PoCs published by nanaao.

AI-analyzed exploit summary This PoC exploits CVE-2022-23884, a DoS vulnerability in Minecraft: Bedrock Edition servers (1.16.0-1.18.12) caused by an integer overflow in PurchaseReceiptPacket::_read, leading to a large loop and server crash.

Description

Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer).

Exploits (1)

nomisec WORKING POC 1 stars

by nanaao · poc

https://github.com/nanaao/CVE-2022-23884

View Code ZIP pw:eip

This PoC exploits CVE-2022-23884, a DoS vulnerability in Minecraft: Bedrock Edition servers (1.16.0-1.18.12) caused by an integer overflow in PurchaseReceiptPacket::_read, leading to a large loop and server crash.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Minecraft: Bedrock Edition Server 1.16.0-1.18.12

No auth needed

Prerequisites: Network access to the target server · Python environment to run the script

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://s3.bmp.ovh/imgs/2022/01/962e0c75f5969cfb.png

Scores

CVSS v3 9.8

EPSS 0.0510

EPSS Percentile 90.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-190

Status published

Products (1)

minecraft/bedrock_server 1.18.2

Published Mar 28, 2022

Tracked Since Feb 18, 2026