CVE-2022-37454

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

Published: Oct 21, 2022
Updated: May 9, 2024
CVE: CVE-2022-37454
GHSA: GHSA-6w4m-2xhg-2658
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-190

Affected Software
References

Software	From	Fixed in
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x
fedoraproject / fedora	35	35.x
fedoraproject / fedora	36	36.x
php / php	8.0.0	8.0.25
php / php	8.1.0	8.1.12
php / php	7.2.0	7.4.33
python / python	3.8.0	3.8.16
python / python	3.9.0	3.9.16
python / python	3.10.0	3.10.9
python / python	3.6.0	3.7.16
sha3_project / sha3	-	1.0.5
pysha3_project / pysha3	-	-
pypy / pypy	7.0.0	7.0.0.x
pysha3	-	1.0.2.x
sha3	-	1.0.5

https://csrc.nist.gov/projects/hash-functions/sha-3-project
https://eprint.iacr.org/2023/331
https://github.com/johanns/sha3/commit/5f2e8118a62831911703c8753ff2435c3b5d7312
https://github.com/johanns/sha3/issues/17
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sha3/CVE-2022-37454.yml
https://github.com/tiran/pysha3/issues/29
https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
https://github.com/XKCP/XKCP/issues/105
https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ
https://lists.fedoraproject.org/archives/list/[email protected]/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/
https://lists.fedoraproject.org/archives/list/[email protected]/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4
https://lists.fedoraproject.org/archives/list/[email protected]/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/
https://mouha.be/sha-3-buffer-overflow
https://mouha.be/sha-3-buffer-overflow/
https://news.ycombinator.com/item?id=33281106
https://news.ycombinator.com/item?id=35050307
https://security.gentoo.org/glsa/202305-02
https://security.netapp.com/advisory/ntap-20230203-0001/
https://www.debian.org/security/2022/dsa-5267
https://www.debian.org/security/2022/dsa-5269

Vulnerability Database

289,697

CVE-2022-37454