Cyber Resilience

CVE-2022-23884

CriticalPublic PoC

Published: 28 March 2022

Published
28 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0510 90.0th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23884 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Minecraft Bedrock Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Mojang Bedrock Dedicated Server version 1.18.2 contains an integer overflow vulnerability (CWE-190) in the PurchaseReceiptPacket::_read packet deserializer. The flaw produces a bounds-check bypass that can be triggered during normal network packet processing.

The issue is remotely exploitable without authentication or user interaction, as reflected in its CVSS 3.1 score of 9.8. An attacker able to send crafted packets to an affected server can achieve full compromise of confidentiality, integrity, and availability. The two reference URLs supplied are identical image links and contain no advisory text or mitigation guidance. The associated EPSS score has remained flat at 0.0510 with no material increase after disclosure.

EU & UK References

Vulnerability details

Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

minecraft
bedrock server
1.18.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References