CVE-2022-37454

CRITICAL

Keccak XKCP SHA-3 Reference Implementation - Integer Overflow and Buffer Overflow in Sponge Function Interface

Title source: llm
STIX 2.1

Description

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

References (14)

Core 14
Core References
Third Party Advisory, US Government Resource
https://csrc.nist.gov/projects/hash-functions/sha-3-project
Exploit, Third Party Advisory
https://mouha.be/sha-3-buffer-overflow/
Issue Tracking, Third Party Advisory
https://news.ycombinator.com/item?id=33281106

Scores

CVSS v3 9.8
EPSS 0.0140
EPSS Percentile 80.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-190
Status published
Products (12)
debian/debian_linux 10.0
debian/debian_linux 11.0
extended_keccak_code_package_project/extended_keccak_code_package
fedoraproject/fedora 35
fedoraproject/fedora 36
php/php 7.2.0 - 7.4.33
pypi/pysha3 0PyPI
pypy/pypy 7.0.0
pysha3_project/pysha3
python/python 3.6.0 - 3.7.16
... and 2 more
Published Oct 21, 2022
Tracked Since Feb 18, 2026