CVE-2022-27499

LOW LAB

Intel SGX SDK < 2.17.100.1 and < 2.18.100.1 - Use-After-Free

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-27499. PoCs published by web-logs2.

AI-analyzed exploit summary This repository demonstrates an unanticipated snapshot attack (CVE-2022-27499) against Intel SGX, specifically targeting Redis running within an Occlum enclave. The PoC captures a snapshot of the enclave's memory state during password processing, allowing an attacker to replay the enclave and bypass authentication.

Description

Premature release of resource during expected lifetime in the Intel(R) SGX SDK software may allow a privileged user to potentially enable information disclosure via local access.

Exploits (1)

nomisec WORKING POC
by web-logs2 · poc
https://github.com/web-logs2/snapshot-demo

This repository demonstrates an unanticipated snapshot attack (CVE-2022-27499) against Intel SGX, specifically targeting Redis running within an Occlum enclave. The PoC captures a snapshot of the enclave's memory state during password processing, allowing an attacker to replay the enclave and bypass authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Complex
Reliability
Reliable
Target: Intel SGX with Occlum (Redis 6.0.9)
No auth needed
Prerequisites: Intel SGX SDK · Occlum · Redis 6.0.9 · root access to modify SGX SDK · timing control to capture snapshot
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 2.5
EPSS 0.0042
EPSS Percentile 33.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull occlum/occlum:0.26.2-ubuntu18.04

Details

CWE
CWE-672
Status published
Products (2)
intel/sgx_sdk < 2.17.100.1
intel/sgx_sdk < 2.18.100.1
Published Nov 11, 2022
Tracked Since Feb 18, 2026