CVE-2024-22086
Published: 05 January 2024
Summary
CVE-2024-22086 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Hayyp Cherry. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-22086 is a stack-based buffer overflow in the handle_request function within http.c of the cherry HTTP server project, affecting all versions through commit 4b877df. The flaw stems from an sscanf call that processes incoming URIs without adequate length validation, enabling an out-of-bounds write classified under CWE-787. The vulnerability carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.
An unauthenticated remote attacker can send a specially crafted HTTP request containing an excessively long URI to trigger the overflow. Successful exploitation grants the ability to execute arbitrary code on the affected server, potentially leading to full system compromise given the high impact on confidentiality, integrity, and availability.
The EPSS score for this CVE rose from a low baseline to a peak of 0.0583 on 2025-12-11 before receding to the current value of 0.0316, indicating that exploitation interest increased after public disclosure. No mitigation details or patch guidance appear in the referenced GitHub issue reports.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-19683
Vulnerability details
handle_request in http.c in cherry through 4b877df has an sscanf stack-based buffer overflow via a long URI, leading to remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in HTTP request parsing (handle_request) allows remote code execution via crafted long URI targeting public-facing Cherry HTTP server/library.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.