Cyber Resilience

CVE-2022-37434

CriticalPublic PoC

Published: 05 August 2022

Published
05 August 2022
Modified
30 May 2025
KEV Added
Patch
09 August 2022
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9274 99.8th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37434 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Stormshield Stormshield Network Security. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-37434 is a heap-based buffer over-read or buffer overflow in the inflate function within inflate.c of zlib up to version 1.2.12. The flaw is triggered by a large gzip header extra field and is present only in applications that invoke inflateGetHeader; many programs that statically bundle zlib source code do not expose this code path and are therefore unaffected.

An unauthenticated remote attacker can supply a malicious gzip stream to any affected application, resulting in memory corruption that may be leveraged for arbitrary code execution, information disclosure, or a crash. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.

Public disclosures referenced in the seclists and oss-security archives describe the issue and affected zlib versions but do not detail vendor-specific patches or work-arounds beyond upgrading to a fixed zlib release. The associated EPSS score has remained at its peak value of 0.9274 since disclosure, indicating sustained exploitation interest without an observable post-publication climb.

EU & UK References

Vulnerability details

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but…

more

may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zlib
zlib
≤ 1.2.12
fedoraproject
fedora
35, 36, 37
debian
debian linux
10.0
netapp
active iq unified manager
all versions
netapp
hci
all versions
netapp
management services for element software
all versions
netapp
oncommand workflow automation
all versions
netapp
ontap select deploy administration utility
all versions
netapp
storagegrid
all versions
netapp
hci compute node
all versions
+8 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References