CVE-2022-35977
Published: 20 January 2023
Summary
CVE-2022-35977 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Redis Redis. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Redis is an in-memory database that persists on disk and is affected by an integer overflow vulnerability tracked as CVE-2022-35977. Authenticated users who issue specially crafted SETRANGE and SORT(_RO) commands can trigger the flaw, causing Redis to attempt allocation of impossible amounts of memory and abort with an out-of-memory panic. The issue is classified under CWE-190 and carries a CVSS 3.1 score of 5.5 reflecting local access, low attack complexity, and high impact on availability.
An attacker with an authenticated session on the Redis instance can exploit the vulnerability to induce a denial-of-service condition by forcing the server process to terminate. No additional privileges or user interaction are required beyond the ability to execute the affected commands.
Official patches are available in Redis versions 7.0.8, 6.2.9, and 6.0.17; the project’s security advisory and release notes direct users to upgrade to these versions, noting that no workarounds exist. The associated EPSS score has remained flat at 0.3555 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38804
Vulnerability details
Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SETRANGE` and `SORT(_RO)` commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic.…
more
The problem is fixed in Redis versions 7.0.8, 6.2.9 and 6.0.17. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in Redis commands directly enables application exploitation resulting in process termination and DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the available patches in Redis 7.0.8/6.2.9/6.0.17 that eliminate the integer-overflow path in SETRANGE and SORT(_RO).
Mandates validation of command arguments to reject or sanitize the specially crafted values that trigger the CWE-190 overflow.
Requires mechanisms to limit or throttle resource-exhaustion effects from the OOM panic induced by the malformed commands.