Cyber Resilience

CVE-2022-37454

CriticalPublic PoC

Published: 21 October 2022

Published
21 October 2022
Modified
08 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0140 80.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37454 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Python Python. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is an integer overflow leading to a buffer overflow in the sponge function interface of the Keccak XKCP SHA-3 reference implementation prior to commit fdc6fef. This flaw, tracked as CVE-2022-37454 with a CVSS score of 9.8 and mapped to CWE-190, resides in the core reference code for the SHA-3 hash function family.

Remote unauthenticated attackers can supply crafted inputs over the network to trigger the overflow, enabling arbitrary code execution or the elimination of the algorithm's expected cryptographic properties such as collision resistance and preimage resistance. No user interaction or privileges are required for exploitation.

The GitHub security advisory for the XKCP project and subsequent Debian LTS announcements direct users to update to the patched implementation at or after commit fdc6fef; NIST and related cryptographic references reinforce replacing affected reference code in dependent libraries and applications.

EPSS for this CVE rose from low values at disclosure to a peak of 0.0550 on 2025-01-22 before receding to the current 0.0140, indicating a delayed but material increase in observed exploitation interest well after the original publication.

EU & UK References

Vulnerability details

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

extended keccak code package project
extended keccak code package
all versions
debian
debian linux
10.0, 11.0
fedoraproject
fedora
35, 36
php
php
7.2.0 — 7.4.33 · 8.0.0 — 8.0.25 · 8.1.0 — 8.1.12
python
python
3.6.0 — 3.7.16 · 3.8.0 — 3.8.16 · 3.9.0 — 3.9.16
sha3 project
sha3
≤ 1.0.5
pysha3 project
pysha3
all versions
pypy
pypy
≥ 7.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References