VDB
BIT-libphp-2022-37454
BIT-libphp-2022-37454
PUBLISHED
CVSS 9.800000190734863 CRITICAL
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | libphp | 7.2.0, 8.0.0, 8.1.0 |
Timeline
- Aug 11, 2025 CVE Published
- Aug 11, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Distribution Patch
References
- https://csrc.nist.gov/projects/hash-functions/sha-3-project url
- https://eprint.iacr.org/2023/331 url
- https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658 url
- https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html url
- https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/ url
- https://mouha.be/sha-3-buffer-overflow/ url
- https://news.ycombinator.com/item?id=33281106 url
- https://news.ycombinator.com/item?id=35050307 url
- https://nvd.nist.gov/vuln/detail/CVE-2022-37454 url
- https://security.gentoo.org/glsa/202305-02 url
- https://security.netapp.com/advisory/ntap-20230203-0001/ url
- https://www.debian.org/security/2022/dsa-5267 url
- https://www.debian.org/security/2022/dsa-5269 url