CVE-2022-2274
Published: 01 July 2022
Summary
CVE-2022-2274 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Openssl Openssl. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a critical flaw in OpenSSL 3.0.4 that corrupts memory during RSA private-key operations on X86_64 CPUs supporting AVX512IFMA instructions. It affects any 2048-bit RSA keys processed by the library, including those used by SSL/TLS servers and other network services running on the impacted hardware. The root cause is an incorrect implementation introduced in that release, classified under CWE-787.
An unauthenticated remote attacker can supply input that triggers the memory corruption during RSA computation, enabling arbitrary code execution on the affected server with no user interaction or credentials required. The flaw is reachable over the network whenever a vulnerable server performs private-key operations with 2048-bit keys.
OpenSSL published a security advisory on 5 July 2022 and issued commits that restore correct RSA behavior; administrators are advised to upgrade to a patched version. NetApp and other downstream vendors issued corresponding advisories recommending the same update path.
EPSS for the CVE rose from lower values to a peak of 0.5896 in December 2025 before receding to the current 0.3969, indicating a period of increased exploitation interest well after initial disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6272
Vulnerability details
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during…
more
the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.