{"api_version":"1","generated_at":"2026-05-13T01:24:18+00:00","cve":"CVE-2022-41860","urls":{"html":"https://cve.report/CVE-2022-41860","api":"https://cve.report/api/cve/CVE-2022-41860.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-41860","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-41860"},"summary":{"title":"CVE-2022-41860","description":"In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2023-01-17 18:15:00","updated_at":"2023-01-24 19:53:00"},"problem_types":["CWE-476"],"metrics":[],"references":[{"url":"https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a","name":"https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a","refsource":"MISC","tags":[],"title":"it's probably wrong to be completely retarded.  Let's fix that. · FreeRADIUS/freeradius-server@f1cdbb3 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://freeradius.org/security/","name":"https://freeradius.org/security/","refsource":"MISC","tags":[],"title":"Releases","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-41860","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41860","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"41860","vulnerable":"1","versionEndIncluding":"3.0.25","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"freeradius","cpe5":"freeradius","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-41860","qid":"160598","title":"Oracle Enterprise Linux Security Update for freeradius (ELSA-2023-2166)"},{"cve":"CVE-2022-41860","qid":"160659","title":"Oracle Enterprise Linux Security Update for freeradius:3.0 (ELSA-2023-2870)"},{"cve":"CVE-2022-41860","qid":"181610","title":"Debian Security Update for freeradius (DLA 3342-1)"},{"cve":"CVE-2022-41860","qid":"184317","title":"Debian Security Update for freeradius (CVE-2022-41860)"},{"cve":"CVE-2022-41860","qid":"199082","title":"Ubuntu Security Notification for FreeRADIUS Vulnerabilities (USN-5785-1)"},{"cve":"CVE-2022-41860","qid":"241426","title":"Red Hat Update for freeradius (RHSA-2023:2166)"},{"cve":"CVE-2022-41860","qid":"241539","title":"Red Hat Update for freeradius:3.0 (RHSA-2023:2870)"},{"cve":"CVE-2022-41860","qid":"283513","title":"Fedora Security Update for freeradius (FEDORA-2022-98832b2cc2)"},{"cve":"CVE-2022-41860","qid":"354797","title":"Amazon Linux Security Advisory for freeradius : ALAS2-2023-1970"},{"cve":"CVE-2022-41860","qid":"354812","title":"Amazon Linux Security Advisory for freeradius : ALAS-2023-1699"},{"cve":"CVE-2022-41860","qid":"378746","title":"Alibaba Cloud Linux Security Update for freeradius:3.0 (ALINUX3-SA-2023:0087)"},{"cve":"CVE-2022-41860","qid":"503092","title":"Alpine Linux Security Update for freeradius"},{"cve":"CVE-2022-41860","qid":"672602","title":"EulerOS Security Update for freeradius (EulerOS-SA-2023-1312)"},{"cve":"CVE-2022-41860","qid":"753064","title":"SUSE Enterprise Linux Security Update for freeradius-server (SUSE-SU-2022:4622-1)"},{"cve":"CVE-2022-41860","qid":"753065","title":"SUSE Enterprise Linux Security Update for freeradius-server (SUSE-SU-2022:4620-1)"},{"cve":"CVE-2022-41860","qid":"753067","title":"SUSE Enterprise Linux Security Update for freeradius-server (SUSE-SU-2022:4621-1)"},{"cve":"CVE-2022-41860","qid":"753070","title":"SUSE Enterprise Linux Security Update for freeradius-server (SUSE-SU-2022:4626-1)"},{"cve":"CVE-2022-41860","qid":"753554","title":"SUSE Enterprise Linux Security Update for freeradius-server (SUSE-SU-2023:0124-1)"},{"cve":"CVE-2022-41860","qid":"905309","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for freeradius (13062)"},{"cve":"CVE-2022-41860","qid":"907399","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for freeradius (13062-1)"},{"cve":"CVE-2022-41860","qid":"941045","title":"AlmaLinux Security Update for freeradius (ALSA-2023:2166)"},{"cve":"CVE-2022-41860","qid":"941105","title":"AlmaLinux Security Update for freeradius:3.0 (ALSA-2023:2870)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-41860","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-476","cweId":"CWE-476"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"freeradius","version":{"version_data":[{"version_affected":"=","version_value":"All versions from 0.9.3 to 3.0.25"}]}}]}}]}},"references":{"reference_data":[{"url":"https://freeradius.org/security/","refsource":"MISC","name":"https://freeradius.org/security/"},{"url":"https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a","refsource":"MISC","name":"https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a"}]}},"nvd":{"publishedDate":"2023-01-17 18:15:00","lastModifiedDate":"2023-01-24 19:53:00","problem_types":["CWE-476"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:freeradius:freeradius:*:*:*:*:*:*:*:*","versionStartIncluding":"0.9.3","versionEndIncluding":"3.0.25","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}