Cyber Resilience

CVE-2022-42905

CriticalPublic PoC

Published: 07 November 2022

Published
07 November 2022
Modified
02 May 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0479 89.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-42905 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Wolfssl Wolfssl. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 10.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-42905 affects wolfSSL versions prior to 5.5.2 when the WOLFSSL_CALLBACKS compile-time flag is enabled. This debugging-only option activates callback functions that, under TLS 1.3, permit a heap buffer over-read of five bytes due to insufficient bounds checking on incoming handshake data.

A remote attacker can exploit the flaw without authentication by sending a crafted TLS 1.3 ClientHello or other handshake messages, either directly as a malicious client or via a man-in-the-middle position on the network. Successful exploitation discloses up to five bytes of adjacent heap memory, which may contain sensitive information such as session keys or application data, while also risking a crash that produces a denial-of-service condition.

The wolfSSL project addressed the issue in the v5.5.2-stable release by correcting the buffer handling logic inside the callback paths. Public advisories and the accompanying GitHub release notes recommend disabling WOLFSSL_CALLBACKS in all production builds, as the feature is explicitly intended only for debugging and is not required for normal operation. The associated EPSS score has remained low throughout its history and shows no material post-disclosure increase that would indicate emerging exploitation interest.

EU & UK References

Vulnerability details

In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or network attacker can trigger a buffer over-read on the heap of 5 bytes. (WOLFSSL_CALLBACKS is only intended for debugging.)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wolfssl
wolfssl
≤ 5.5.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References