Cyber Resilience

CVE-2024-22086

CriticalPublic PoC

Published: 05 January 2024

Published
05 January 2024
Modified
18 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0316 87.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22086 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Hayyp Cherry. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-22086 is a stack-based buffer overflow in the handle_request function within http.c of the cherry HTTP server project, affecting all versions through commit 4b877df. The flaw stems from an sscanf call that processes incoming URIs without adequate length validation, enabling an out-of-bounds write classified under CWE-787. The vulnerability carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.

An unauthenticated remote attacker can send a specially crafted HTTP request containing an excessively long URI to trigger the overflow. Successful exploitation grants the ability to execute arbitrary code on the affected server, potentially leading to full system compromise given the high impact on confidentiality, integrity, and availability.

The EPSS score for this CVE rose from a low baseline to a peak of 0.0583 on 2025-12-11 before receding to the current value of 0.0316, indicating that exploitation interest increased after public disclosure. No mitigation details or patch guidance appear in the referenced GitHub issue reports.

EU & UK References

Vulnerability details

handle_request in http.c in cherry through 4b877df has an sscanf stack-based buffer overflow via a long URI, leading to remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in HTTP request parsing (handle_request) allows remote code execution via crafted long URI targeting public-facing Cherry HTTP server/library.

Affected Assets

hayyp
cherry
≤ 2021-01-05

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References