ALPINE-CVE-2022-22721

ALPINE-CVE-2022-22721 PUBLISHED CVSS 9.100000381469727 CRITICAL

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

Risk Scores

CVSS v3.1

9.100000381469727

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Affected Products

Vendor	Product	Versions
Alpine:v3.19	apache2	0, 2.2.16-r0, 2.2.16-r1
Alpine:v3.16	apache2	2.2.16-r2, 2.2.16-r3, 2.2.17-r0
Alpine:v3.15	apache2	2.4.12-r4, 2.4.9-r1, 2.4.9-r0
Alpine:v3.14	apache2	0, 2.2.16-r0, 2.2.16-r1
Alpine:v3.17	apache2	0, 2.2.16-r0, 2.2.16-r1
Alpine:v3.23	apache2	2.2.21-r2, 0, 2.2.16-r0
Alpine:v3.13	apache2	2.2.17-r1, 2.4.9-r1, 2.4.9-r0
Alpine:v3.18	apache2	2.4.23-r5, 2.4.23-r4, 2.4.23-r3
Alpine:v3.20	apache2	2.2.16-r1, 0, 2.4.9-r1
Alpine:v3.22	apache2	2.4.17-r1, 2.4.17-r0, 2.2.16-r0
Alpine:v3.21	apache2	2.2.16-r0, 0, 2.4.17-r2
Alpine:v3.12	apache2	2.4.9-r1, 2.4.9-r0, 2.4.7-r0

Exploit Intelligence

macos_v2_generated.go (github-poc)
macos_v1_generated.go (github-poc)

Timeline

Mar 14, 2022 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2022-22721 advisory

Open in Interactive Console →