CVE-2022-37454
Published: 21 October 2022
Summary
CVE-2022-37454 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Python Python. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is an integer overflow leading to a buffer overflow in the sponge function interface of the Keccak XKCP SHA-3 reference implementation prior to commit fdc6fef. This flaw, tracked as CVE-2022-37454 with a CVSS score of 9.8 and mapped to CWE-190, resides in the core reference code for the SHA-3 hash function family.
Remote unauthenticated attackers can supply crafted inputs over the network to trigger the overflow, enabling arbitrary code execution or the elimination of the algorithm's expected cryptographic properties such as collision resistance and preimage resistance. No user interaction or privileges are required for exploitation.
The GitHub security advisory for the XKCP project and subsequent Debian LTS announcements direct users to update to the patched implementation at or after commit fdc6fef; NIST and related cryptographic references reinforce replacing affected reference code in dependent libraries and applications.
EPSS for this CVE rose from low values at disclosure to a peak of 0.0550 on 2025-01-22 before receding to the current 0.0140, indicating a delayed but material increase in observed exploitation interest well after the original publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1219
Vulnerability details
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.