{"api_version":"1","generated_at":"2026-04-23T00:59:45+00:00","cve":"CVE-2022-3602","urls":{"html":"https://cve.report/CVE-2022-3602","api":"https://cve.report/api/cve/CVE-2022-3602.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-3602","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-3602"},"summary":{"title":"X.509 Email Address 4-byte Buffer Overflow","description":"A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).","state":"PUBLISHED","assigner":"openssl","published_at":"2022-11-01 18:15:10","updated_at":"2026-04-14 10:16:25"},"problem_types":["CWE-787","Buffer overflow","CWE-787 CWE-787 Out-of-bounds Write"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2022/11/03/3","name":"http://www.openwall.com/lists/oss-security/2022/11/03/3","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/03/2","name":"http://www.openwall.com/lists/oss-security/2022/11/03/2","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/03/1","name":"http://www.openwall.com/lists/oss-security/2022/11/03/1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow\n (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/01/16","name":"http://www.openwall.com/lists/oss-security/2022/11/01/16","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/03/7","name":"http://www.openwall.com/lists/oss-security/2022/11/03/7","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/03/11","name":"http://www.openwall.com/lists/oss-security/2022/11/03/11","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow\n (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow\n (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 37 Update: openssl-3.0.5-3.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/01/17","name":"http://www.openwall.com/lists/oss-security/2022/11/01/17","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow\n (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow\n (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/03/6","name":"http://www.openwall.com/lists/oss-security/2022/11/03/6","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/03/10","name":"http://www.openwall.com/lists/oss-security/2022/11/03/10","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow\n (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow\n (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/9","name":"http://www.openwall.com/lists/oss-security/2022/11/02/9","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/03/5","name":"http://www.openwall.com/lists/oss-security/2022/11/03/5","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow\n (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow\n (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-408105.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-408105.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/01/15","name":"http://www.openwall.com/lists/oss-security/2022/11/01/15","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023","name":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Security Advisory","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/6","name":"http://www.openwall.com/lists/oss-security/2022/11/02/6","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/10","name":"http://www.openwall.com/lists/oss-security/2022/11/02/10","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: Fwd: Node.js security updates for all active\n release lines, November 2022","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.openssl.org/news/secadv/20221101.txt","name":"https://www.openssl.org/news/secadv/20221101.txt","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/7","name":"http://www.openwall.com/lists/oss-security/2022/11/02/7","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow\n (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow\n (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a","name":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/11","name":"http://www.openwall.com/lists/oss-security/2022/11/02/11","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/x-c","httpstatus":"200","archivestatus":"404"},{"url":"http://packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101.html","name":"http://packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"],"title":"OpenSSL Security Advisory 20221101 ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/01/21","name":"http://www.openwall.com/lists/oss-security/2022/11/01/21","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow\n (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/12","name":"http://www.openwall.com/lists/oss-security/2022/11/02/12","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: Re: OpenSSL X.509 Email Address 4-byte\n Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/01/18","name":"http://www.openwall.com/lists/oss-security/2022/11/01/18","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow\n (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/5","name":"http://www.openwall.com/lists/oss-security/2022/11/02/5","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/01/20","name":"http://www.openwall.com/lists/oss-security/2022/11/01/20","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow\n (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow\n (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/03/9","name":"http://www.openwall.com/lists/oss-security/2022/11/03/9","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fe3b639dc19b325846f4f6801f2f4604f56e3de3","name":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fe3b639dc19b325846f4f6801f2f4604f56e3de3","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory"],"title":"git.openssl.org Git - openssl.git/commitdiff","mime":"text/xml","httpstatus":"404","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/13","name":"http://www.openwall.com/lists/oss-security/2022/11/02/13","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow\n (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow\n (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202211-01","name":"https://security.gentoo.org/glsa/202211-01","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Third Party Advisory"],"title":"OpenSSL: Multiple Vulnerabilities (GLSA 202211-01) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/01/19","name":"http://www.openwall.com/lists/oss-security/2022/11/01/19","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.kb.cert.org/vuls/id/794340","name":"https://www.kb.cert.org/vuls/id/794340","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","US Government Resource"],"title":"VU#794340 - OpenSSL 3.0.0 to 3.0.6 decodes some punycode email addresses in X.509 certificates improperly","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/2","name":"http://www.openwall.com/lists/oss-security/2022/11/02/2","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow\n (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20221102-0001/","name":"https://security.netapp.com/advisory/ntap-20221102-0001/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"November 2022 OpenSSL Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/14","name":"http://www.openwall.com/lists/oss-security/2022/11/02/14","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/3","name":"http://www.openwall.com/lists/oss-security/2022/11/02/3","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S/","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 36 Update: openssl-3.0.5-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/15","name":"http://www.openwall.com/lists/oss-security/2022/11/02/15","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00789.html","name":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00789.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/01/24","name":"http://www.openwall.com/lists/oss-security/2022/11/01/24","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/11/02/1","name":"http://www.openwall.com/lists/oss-security/2022/11/02/1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: OpenSSL X.509 Email Address 4-byte Buffer\n Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer\n Overflow (CVE-2022-3786)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fe3b639dc19b325846f4f6801f2f4604f56e3de3","name":"CONFIRM:https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fe3b639dc19b325846f4f6801f2f4604f56e3de3","refsource":"MITRE","tags":[],"title":"git.openssl.org Git - openssl.git/commitdiff","mime":"text/xml","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/","name":"FEDORA:FEDORA-2022-0f1d2e0537","refsource":"MITRE","tags":[],"title":"[SECURITY] Fedora 37 Update: openssl-3.0.5-3.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S/","name":"FEDORA:FEDORA-2022-502f096dce","refsource":"MITRE","tags":[],"title":"[SECURITY] Fedora 36 Update: openssl-3.0.5-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-3602","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3602","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6)","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"Calibre ICE","version":"affected V2022.4 V2023.1 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"Mcenter","version":"affected V5.2.1 V5.3.0 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE X204RNA (HSR)","version":"affected V3.2.7 V3.2.8 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE X204RNA (PRP)","version":"affected V3.2.7 V3.2.8 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE X204RNA EEC (HSR)","version":"affected V3.2.7 V3.2.8 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE X204RNA EEC (PRP)","version":"affected V3.2.7 V3.2.8 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE X204RNA EEC (PRP/HSR)","version":"affected V3.2.7 V3.2.8 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SICAM GridPass","version":"affected V1.80 V2.20 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC RTLS Locating Manager","version":"affected V2.13.0.0 V2.13.0.3 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Polar Bear","lang":"en"}],"nvd_cpes":[{"cve_year":"2022","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"26","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"27","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"clustered_data_ontap","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"18.12.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"19.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openssl","cpe5":"openssl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2022","cve_id":"3602","cve":"CVE-2022-3602","epss":"0.832190000","percentile":"0.992680000","score_date":"2026-04-15","updated_at":"2026-04-16 00:13:56"},"legacy_qids":[{"cve":"CVE-2022-3602","qid":"160191","title":"Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2022-7288)"},{"cve":"CVE-2022-3602","qid":"160192","title":"Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2022-9968)"},{"cve":"CVE-2022-3602","qid":"160258","title":"Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2022-10004)"},{"cve":"CVE-2022-3602","qid":"183501","title":"Debian Security Update for Open Secure Sockets Layer (OpenSSL) (CVE-2022-3602)"},{"cve":"CVE-2022-3602","qid":"199012","title":"Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5710-1)"},{"cve":"CVE-2022-3602","qid":"199113","title":"Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5710-1)"},{"cve":"CVE-2022-3602","qid":"199114","title":"Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5710-1)"},{"cve":"CVE-2022-3602","qid":"199115","title":"Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5710-1)"},{"cve":"CVE-2022-3602","qid":"199116","title":"Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5710-1)"},{"cve":"CVE-2022-3602","qid":"199117","title":"Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5710-1)"},{"cve":"CVE-2022-3602","qid":"240798","title":"Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2022:7288)"},{"cve":"CVE-2022-3602","qid":"283270","title":"Fedora Security Update for Open Secure Sockets Layer (OpenSSL) (FEDORA-2022-502f096dce)"},{"cve":"CVE-2022-3602","qid":"283442","title":"Fedora Security Update for Open Secure Sockets Layer (OpenSSL) (FEDORA-2022-0f1d2e0537)"},{"cve":"CVE-2022-3602","qid":"296086","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 51.132.1 Missing (CPUOCT2022)"},{"cve":"CVE-2022-3602","qid":"296098","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 52.132.2 Missing (CPUOCT2022)"},{"cve":"CVE-2022-3602","qid":"330128","title":"IBM AIX Multiple Vulnerabilities in Open Secure Sockets Layer (OpenSSL) (openssl_advisory37)"},{"cve":"CVE-2022-3602","qid":"354102","title":"Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2022-2022-157"},{"cve":"CVE-2022-3602","qid":"354404","title":"Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2022-2022-157"},{"cve":"CVE-2022-3602","qid":"355250","title":"Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2023-2023-051"},{"cve":"CVE-2022-3602","qid":"355273","title":"Amazon Linux Security Advisory for nodejs : ALAS2023-2023-084"},{"cve":"CVE-2022-3602","qid":"377733","title":"Open Secure Sockets Layer (OpenSSL) Less Than 3.0.7 Buffer Overflow Vulnerability (Scan Utility)"},{"cve":"CVE-2022-3602","qid":"377881","title":"Node.js Multiple Vulnerabilities (November 2022)"},{"cve":"CVE-2022-3602","qid":"377934","title":"Node.js Multiple Vulnerabilities (November 2022)"},{"cve":"CVE-2022-3602","qid":"38879","title":"Open Secure Sockets Layer (OpenSSL) Less Than 3.0.7 Buffer Overflow Vulnerability"},{"cve":"CVE-2022-3602","qid":"43945","title":"FortiOS - Unauthorized Command Execution Vulnerability (FG-IR-22-419)"},{"cve":"CVE-2022-3602","qid":"502587","title":"Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)"},{"cve":"CVE-2022-3602","qid":"502747","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2022-3602","qid":"502755","title":"Alpine Linux Security Update for openssl"},{"cve":"CVE-2022-3602","qid":"503688","title":"Alpine Linux Security Update for openssl3"},{"cve":"CVE-2022-3602","qid":"520001","title":"Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (CVE-2022-3602, CVE-2022-3786)"},{"cve":"CVE-2022-3602","qid":"591335","title":"Hitachi Energy PCU400 Reliance on Uncontrolled Component Multiple Vulnerabilities (ICSA-23-019-01, 8DBD 000137)"},{"cve":"CVE-2022-3602","qid":"690972","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for Open Secure Sockets Layer (OpenSSL) (0844671c-5a09-11ed-856e-d4c9ef517024)"},{"cve":"CVE-2022-3602","qid":"710678","title":"Gentoo Linux Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (GLSA 202211-01)"},{"cve":"CVE-2022-3602","qid":"752752","title":"SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL-3) (SUSE-SU-2022:3843-1)"},{"cve":"CVE-2022-3602","qid":"940723","title":"AlmaLinux Security Update for Open Secure Sockets Layer (OpenSSL) (ALSA-2022:7288)"},{"cve":"CVE-2022-3602","qid":"960515","title":"Rocky Linux Security Update for Open Secure Sockets Layer (OpenSSL) (RLSA-2022:7288)"}]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2025-11-04T19:13:04.845Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.openssl.org/news/secadv/20221101.txt"},{"tags":["x_transferred"],"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fe3b639dc19b325846f4f6801f2f4604f56e3de3"},{"name":"[oss-security] 20221101 OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/15"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/16"},{"name":"20221028 Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022","tags":["vendor-advisory","x_transferred"],"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/21"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/19"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/18"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/20"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/24"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/17"},{"name":"GLSA-202211-01","tags":["vendor-advisory","x_transferred"],"url":"https://security.gentoo.org/glsa/202211-01"},{"tags":["x_transferred"],"url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023"},{"name":"VU#794340","tags":["third-party-advisory","x_transferred"],"url":"https://www.kb.cert.org/vuls/id/794340"},{"name":"FEDORA-2022-0f1d2e0537","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/"},{"name":"FEDORA-2022-502f096dce","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S/"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/2"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/6"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/5"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/1"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/3"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/7"},{"name":"[oss-security] 20221102 Re: Fwd: Node.js security updates for all active release lines, November 2022","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/10"},{"name":"[oss-security] 20221102 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/9"},{"tags":["x_transferred"],"url":"http://packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101.html"},{"name":"[oss-security] 20221102 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/12"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/11"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/15"},{"name":"[oss-security] 20221102 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/14"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/13"},{"tags":["x_transferred"],"url":"https://security.netapp.com/advisory/ntap-20221102-0001/"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/1"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/2"},{"name":"[oss-security] 20221103 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/3"},{"name":"[oss-security] 20221103 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/5"},{"name":"[oss-security] 20221103 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/7"},{"name":"[oss-security] 20221103 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/6"},{"name":"[oss-security] 20221103 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/9"},{"name":"[oss-security] 20221103 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/10"},{"name":"[oss-security] 20221103 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/11"},{"url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00789.html"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2022-3602","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-04-23T13:26:56.588972Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-787","description":"CWE-787 Out-of-bounds Write","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-05-05T16:12:48.023Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"defaultStatus":"unknown","product":"Calibre ICE","vendor":"Siemens","versions":[{"lessThan":"V2023.1","status":"affected","version":"V2022.4","versionType":"custom"}]},{"defaultStatus":"unknown","product":"Mcenter","vendor":"Siemens","versions":[{"lessThan":"V5.3.0","status":"affected","version":"V5.2.1","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE X204RNA (HSR)","vendor":"Siemens","versions":[{"lessThan":"V3.2.8","status":"affected","version":"V3.2.7","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE X204RNA (PRP)","vendor":"Siemens","versions":[{"lessThan":"V3.2.8","status":"affected","version":"V3.2.7","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE X204RNA EEC (HSR)","vendor":"Siemens","versions":[{"lessThan":"V3.2.8","status":"affected","version":"V3.2.7","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE X204RNA EEC (PRP)","vendor":"Siemens","versions":[{"lessThan":"V3.2.8","status":"affected","version":"V3.2.7","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE X204RNA EEC (PRP/HSR)","vendor":"Siemens","versions":[{"lessThan":"V3.2.8","status":"affected","version":"V3.2.7","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SICAM GridPass","vendor":"Siemens","versions":[{"lessThan":"V2.20","status":"affected","version":"V1.80","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC RTLS Locating Manager","vendor":"Siemens","versions":[{"lessThan":"V2.13.0.3","status":"affected","version":"V2.13.0.0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-04-14T08:58:02.339Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-408105.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"product":"OpenSSL","vendor":"OpenSSL","versions":[{"status":"affected","version":"Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6)"}]}],"credits":[{"lang":"en","value":"Polar Bear"}],"datePublic":"2022-11-01T00:00:00.000Z","descriptions":[{"lang":"en","value":"A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6)."}],"metrics":[{"other":{"content":{"lang":"eng","url":"https://www.openssl.org/policies/secpolicy.html#HIGH","value":"HIGH"},"type":"unknown"}}],"problemTypes":[{"descriptions":[{"description":"Buffer overflow","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2022-11-03T00:00:00.000Z","orgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","shortName":"openssl"},"references":[{"url":"https://www.openssl.org/news/secadv/20221101.txt"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fe3b639dc19b325846f4f6801f2f4604f56e3de3"},{"name":"[oss-security] 20221101 OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/15"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/16"},{"name":"20221028 Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022","tags":["vendor-advisory"],"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/21"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/19"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/18"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/20"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/24"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/17"},{"name":"GLSA-202211-01","tags":["vendor-advisory"],"url":"https://security.gentoo.org/glsa/202211-01"},{"url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023"},{"name":"VU#794340","tags":["third-party-advisory"],"url":"https://www.kb.cert.org/vuls/id/794340"},{"name":"FEDORA-2022-0f1d2e0537","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/"},{"name":"FEDORA-2022-502f096dce","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S/"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/2"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/6"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/5"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/1"},{"name":"[oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/3"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/7"},{"name":"[oss-security] 20221102 Re: Fwd: Node.js security updates for all active release lines, November 2022","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/10"},{"name":"[oss-security] 20221102 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/9"},{"url":"http://packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101.html"},{"name":"[oss-security] 20221102 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/12"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/11"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/15"},{"name":"[oss-security] 20221102 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/14"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/02/13"},{"url":"https://security.netapp.com/advisory/ntap-20221102-0001/"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/1"},{"name":"[oss-security] 20221102 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/2"},{"name":"[oss-security] 20221103 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/3"},{"name":"[oss-security] 20221103 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/5"},{"name":"[oss-security] 20221103 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/7"},{"name":"[oss-security] 20221103 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/6"},{"name":"[oss-security] 20221103 Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/9"},{"name":"[oss-security] 20221103 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/10"},{"name":"[oss-security] 20221103 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/03/11"}],"title":"X.509 Email Address 4-byte Buffer Overflow"}},"cveMetadata":{"assignerOrgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","assignerShortName":"openssl","cveId":"CVE-2022-3602","datePublished":"2022-11-01T00:00:00.000Z","dateReserved":"2022-10-19T00:00:00.000Z","dateUpdated":"2026-04-14T08:58:02.339Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2022-11-01 18:15:10","lastModifiedDate":"2026-04-14 10:16:25","problem_types":["CWE-787","Buffer overflow","CWE-787 CWE-787 Out-of-bounds Write"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.7","matchCriteriaId":"BE1F59CA-02F2-4374-A129-18713496B58B"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","matchCriteriaId":"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","matchCriteriaId":"E30D0E6F-4AE8-4284-8716-991DFA48CC5D"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*","matchCriteriaId":"1FE996B1-6951-4F85-AA58-B99A379D2163"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*","matchCriteriaId":"6E4D8269-B407-4C24-AAB0-02F885C7D752"},{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*","matchCriteriaId":"DBEACBFF-6D05-4B69-BF7A-F7E539D9BF6E"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"18.0.0","versionEndExcluding":"18.11.0","matchCriteriaId":"CAC42CA8-8B01-4A19-A83C-A7D4D08E5E43"},{"vulnerable":true,"criteria":"cpe:2.3:a:nodejs:node.js:18.12.0:*:*:*:lts:*:*:*","matchCriteriaId":"7B1F87EE-4E30-4832-BF01-8501E94380EE"},{"vulnerable":true,"criteria":"cpe:2.3:a:nodejs:node.js:19.0.0:*:*:*:-:*:*:*","matchCriteriaId":"F568BBC5-0D8E-499C-9F3E-DDCE5F10F9D5"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"3602","Ordinal":"1","Title":"X.509 Email Address 4-byte Buffer Overflow","CVE":"CVE-2022-3602","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"3602","Ordinal":"1","NoteData":"A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).","Type":"Description","Title":"X.509 Email Address 4-byte Buffer Overflow"}]}}}