CVE-2022-37434
Published: 05 August 2022
Summary
CVE-2022-37434 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Stormshield Stormshield Network Security. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-37434 is a heap-based buffer over-read or buffer overflow in the inflate function within inflate.c of zlib up to version 1.2.12. The flaw is triggered by a large gzip header extra field and is present only in applications that invoke inflateGetHeader; many programs that statically bundle zlib source code do not expose this code path and are therefore unaffected.
An unauthenticated remote attacker can supply a malicious gzip stream to any affected application, resulting in memory corruption that may be leveraged for arbitrary code execution, information disclosure, or a crash. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.
Public disclosures referenced in the seclists and oss-security archives describe the issue and affected zlib versions but do not detail vendor-specific patches or work-arounds beyond upgrading to a fixed zlib release. The associated EPSS score has remained at its peak value of 0.9274 since disclosure, indicating sustained exploitation interest without an observable post-publication climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-40062
Vulnerability details
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but…
more
may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.