Cyber Resilience

CVE-2022-3602

HighPublic PoC

Published: 01 November 2022

Published
01 November 2022
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.8351 99.3th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3602 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A buffer overrun vulnerability exists in OpenSSL versions 3.0.0 through 3.0.6 during X.509 certificate verification, specifically in name constraint checking. The flaw occurs after signature verification of the certificate chain and allows an attacker-controlled email address to overflow four bytes on the stack. It affects both TLS clients and servers and is tracked as CWE-787 with a CVSS 3.1 score of 7.5.

An unauthenticated remote attacker can trigger the issue by presenting a malicious certificate. In a client context this occurs when connecting to a malicious server; in a server context it requires the server to request client authentication. Successful exploitation can produce a crash resulting in denial of service or, depending on platform stack protections and layout, potential remote code execution.

OpenSSL 3.0.7 contains the fix. Public advisories note that the original pre-announcement rating of CRITICAL was later reduced to HIGH because of existing stack overflow mitigations on many platforms, yet still urge prompt upgrade for all affected releases. The associated EPSS score reached a peak of 0.8609 and currently stands at 0.8351.

EU & UK References

Vulnerability details

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to…

more

continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openssl
openssl
3.0.0 — 3.0.7
fedoraproject
fedora
26, 27, 36, 37
netapp
clustered data ontap
all versions
nodejs
node.js
18.12.0, 19.0.0 · 18.0.0 — 18.11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References