Cyber Resilience

CVE-2022-2274

CriticalPublic PoC

Published: 01 July 2022

Published
01 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3969 97.4th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2274 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Openssl Openssl. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a critical flaw in OpenSSL 3.0.4 that corrupts memory during RSA private-key operations on X86_64 CPUs supporting AVX512IFMA instructions. It affects any 2048-bit RSA keys processed by the library, including those used by SSL/TLS servers and other network services running on the impacted hardware. The root cause is an incorrect implementation introduced in that release, classified under CWE-787.

An unauthenticated remote attacker can supply input that triggers the memory corruption during RSA computation, enabling arbitrary code execution on the affected server with no user interaction or credentials required. The flaw is reachable over the network whenever a vulnerable server performs private-key operations with 2048-bit keys.

OpenSSL published a security advisory on 5 July 2022 and issued commits that restore correct RSA behavior; administrators are advised to upgrade to a patched version. NetApp and other downstream vendors issued corresponding advisories recommending the same update path.

EPSS for the CVE rose from lower values to a peak of 0.5896 in December 2025 before receding to the current 0.3969, indicating a period of increased exploitation interest well after initial disclosure.

EU & UK References

Vulnerability details

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during…

more

the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openssl
openssl
3.0.4
netapp
snapcenter
all versions
netapp
h410c firmware
all versions
netapp
h300s firmware
all versions
netapp
h500s firmware
all versions
netapp
h700s firmware
all versions
netapp
h410s firmware
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References