CVE-2022-22721
Published: 14 March 2022
Summary
CVE-2022-22721 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apple Mac Os X. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-22721 is an integer overflow vulnerability in Apache HTTP Server versions 2.4.52 and earlier that occurs when the LimitXMLRequestBody directive is configured to accept request bodies larger than 350 MB on 32-bit systems, resulting in subsequent out-of-bounds writes. The directive defaults to a 1 MB limit, so the flaw is only reachable under non-default configurations that explicitly raise the threshold.
An unauthenticated remote attacker can exploit the issue over the network by sending a crafted XML request body that triggers the overflow, leading to integrity and availability impacts without requiring user interaction. The CVSS 9.1 rating reflects that successful exploitation can corrupt memory or crash the server process.
Advisories from the Apache project and related disclosures recommend upgrading to a patched version of the server and reviewing any custom LimitXMLRequestBody settings that exceed safe thresholds on 32-bit deployments. The referenced security pages detail the affected releases and available updates.
EPSS scores for this CVE rose from lower values to a peak of 0.2193, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27864
Vulnerability details
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.