Cyber Resilience

CVE-2022-22721

Critical

Published: 14 March 2022

Published
14 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.1347 94.4th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22721 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apple Mac Os X. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-22721 is an integer overflow vulnerability in Apache HTTP Server versions 2.4.52 and earlier that occurs when the LimitXMLRequestBody directive is configured to accept request bodies larger than 350 MB on 32-bit systems, resulting in subsequent out-of-bounds writes. The directive defaults to a 1 MB limit, so the flaw is only reachable under non-default configurations that explicitly raise the threshold.

An unauthenticated remote attacker can exploit the issue over the network by sending a crafted XML request body that triggers the overflow, leading to integrity and availability impacts without requiring user interaction. The CVSS 9.1 rating reflects that successful exploitation can corrupt memory or crash the server process.

Advisories from the Apache project and related disclosures recommend upgrading to a patched version of the server and reviewing any custom LimitXMLRequestBody settings that exceed safe thresholds on 32-bit deployments. The referenced security pages detail the affected releases and available updates.

EPSS scores for this CVE rose from lower values to a peak of 0.2193, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
http server
≤ 2.4.52
fedoraproject
fedora
34, 35, 36
debian
debian linux
9.0
oracle
enterprise manager ops center
12.4.0.0
oracle
http server
12.2.1.3.0, 12.2.1.4.0
oracle
zfs storage appliance kit
8.8
apple
mac os x
10.15.7 · 10.15 — 10.15.7
apple
macos
11.0 — 11.6.6 · 12.0 — 12.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References