CVE-2022-37454

CRITICAL

Extended Keccak Code Package < 7.4.33 - Integer Overflow

Title source: rule

Description

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

References (14)

[Third Party Advisory, US Government Resource] https://csrc.nist.gov/projects/hash-functions/sha-3-project

[Various Sources] https://eprint.iacr.org/2023/331

[Patch, Third Party Advisory] https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/

[Exploit, Third Party Advisory] https://mouha.be/sha-3-buffer-overflow/

[Issue Tracking, Third Party Advisory] https://news.ycombinator.com/item?id=33281106

[Various Sources] https://news.ycombinator.com/item?id=35050307

[Third Party Advisory] https://security.gentoo.org/glsa/202305-02

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5267

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5269

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20230203-0001/

Scores

CVSS v3 9.8

EPSS 0.0133

EPSS Percentile 79.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-190

Status published

Affected Products (12)

extended_keccak_code_package_project/extended_keccak_code_package

debian/debian_linux

debian/debian_linux

fedoraproject/fedora

fedoraproject/fedora

php/php < 7.4.33

python/python < 3.7.16

sha3_project/sha3 < 1.0.5

pysha3_project/pysha3

pypy/pypy

pypi/pysha3 PyPI

rubygems/sha3 < 1.0.5RubyGems

Timeline

Published Oct 21, 2022

Tracked Since Feb 18, 2026