Cyber Resilience

CVE-2022-24963

Critical

Published: 31 January 2023

Published
31 January 2023
Modified
27 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 34.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24963 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apache Portable Runtime. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2022-24963 is an integer overflow or wraparound weakness in the apr_encode functions of Apache Portable Runtime (APR) 1.7.0 that allows an attacker to write beyond the bounds of a buffer. It carries a CVSS 3.1 score of 9.8 and is tracked under CWE-190.

An unauthenticated remote attacker can exploit the flaw over the network without user interaction to compromise confidentiality, integrity, and availability on affected systems.

Public advisories referenced by Apache and NetApp outline the issue and recommended actions for users of APR 1.7.0.

The associated EPSS score rose from a low baseline to a peak of 0.1148 on 2025-01-22 before receding, indicating that exploitation interest emerged after disclosure.

EU & UK References

Vulnerability details

Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
portable runtime
1.7.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References