CVE-2022-23884
Published: 28 March 2022
Summary
CVE-2022-23884 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Minecraft Bedrock Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Mojang Bedrock Dedicated Server version 1.18.2 contains an integer overflow vulnerability (CWE-190) in the PurchaseReceiptPacket::_read packet deserializer. The flaw produces a bounds-check bypass that can be triggered during normal network packet processing.
The issue is remotely exploitable without authentication or user interaction, as reflected in its CVSS 3.1 score of 9.8. An attacker able to send crafted packets to an affected server can achieve full compromise of confidentiality, integrity, and availability. The two reference URLs supplied are identical image links and contain no advisory text or mitigation guidance. The associated EPSS score has remained flat at 0.0510 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28809
Vulnerability details
Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.