PT-2022-5188 · Unknown+11 · Keccak Xkcp Sha-3+11

Nicky Mouha

Published

2022-10-20

Updated

2026-03-10

CVE-2022-37454

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Keccak XKCP SHA-3 reference implementation versions before fdc6fef

Description The issue is related to an integer overflow and resultant buffer overflow in the sponge function interface of the Keccak XKCP SHA-3 reference implementation. This allows attackers to execute arbitrary code or eliminate expected cryptographic properties. The problem occurs when partial data with specific sizes are queued, where at least one of them has a length of 2^32 - 200 bytes or more.

Recommendations To resolve the issue, update the Keccak XKCP SHA-3 reference implementation to a version after fdc6fef. As a temporary workaround, consider limiting the size of the partial input data (or partial output digest) below 2^32 - 200 bytes. Alternatively, process the entire input (or produce the entire output) at once, avoiding the queuing functions altogether.

Exploit

Fix

DoS

Integer Overflow

RCE

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-20CWE-120

Related Identifiers

ALSA-2023:0848

ALSA-2023:0965

ALSA-2023:2417

ALSA-2023:2903

ALSA-2025_16880

ALT-PU-2022-2960

ALT-PU-2022-2964

ALT-PU-2022-2986

ALT-PU-2022-2988

ALT-PU-2022-2994

ALT-PU-2022-3024

ALT-PU-2022-3093

ALT-PU-2022-3107

ALT-PU-2023-1518

ALT-PU-2023-1951

ALT-PU-2024-2598

ALT-PU-2024-3474

AZL-11501

AZL-11503

BDU:2022-06445

BIT-LIBPHP-2022-37454

BIT-LIBPYTHON-2022-37454

BIT-PHP-2022-37454

BIT-PHP-MIN-2022-37454

BIT-PYTHON-2022-37454

BIT-PYTHON-MIN-2022-37454

CESA-2023_0848

CESA-2023_2903

CVE-2022-37454

DLA-3174-1

DLA-3175-1

DLA-3243-1

DSA-5267-1

DSA-5269-1

DSA-5277-1

GHSA-6W4M-2XHG-2658

OESA-2022-2137

OESA-2023-1023

OESA-2023-1045

OPENSUSE-SU-2022_3997-1

OPENSUSE-SU-2022_4005-1

OPENSUSE-SU-2022_4067-1

OPENSUSE-SU-2022_4069-1

OPENSUSE-SU-2022_4281-1

OPENSUSE-SU-2024:12461-1

OPENSUSE-SU-2024:12476-1

OPENSUSE-SU-2024:12559-1

OPENSUSE-SU-2024:12563-1

PSF-2022-11

RHSA-2023:0848

RHSA-2023:0965

RHSA-2023:2417

RHSA-2023:2903

RHSA-2023_0848

RHSA-2023_0965

RHSA-2023_2417

RHSA-2023_2903

RLSA-2023:0848

RLSA-2023:0965

ROSA-SA-2025-2676

SUSE-SU-2022:3924-1

SUSE-SU-2022:3997-1

SUSE-SU-2022:4005-1

SUSE-SU-2022:4067-1

SUSE-SU-2022:4068-1

SUSE-SU-2022:4069-1

SUSE-SU-2022:4274-1

SUSE-SU-2022:4281-1

SUSE-SU-2023:0707-1

SUSE-SU-2023:0748-1

USN-5717-1

USN-5767-1

USN-5767-3

USN-5888-1

USN-5930-1

USN-5931-1

USN-6524-1

USN-6525-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Keccak Xkcp Sha-3

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2022-5188 · Unknown+11 · Keccak Xkcp Sha-3+11

CVE-2022-37454

Weakness Enumeration

Related Identifiers

Affected Products

References · 247