CVE-2022-3219

LOW
Published Feb 23, 20233y ago · Modified Jun 17, 20262w ago
3.3 CVSS 3.1
Low
Find Similar
Published Feb 23, 2023 3y ago
Last Modified Jun 17, 2026 2w ago

Description

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

CVSS Details

Base Score
3.3
Exploitability
1.8
Impact
1.4
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability Low

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 1

VendorProductVersionRange
gnupggnupg*any

References 6

  • access.redhat.com https://access.redhat.com/security/cve/CVE-2022-3219
    Third Party Advisory
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2127010
    Issue TrackingThird Party Advisory
  • dev.gnupg.org https://dev.gnupg.org/D556
    Patch
  • dev.gnupg.org https://dev.gnupg.org/T5993
    Patch
  • marc.info https://marc.info/?l=oss-security&m=165696590211434&w=4
    Mailing ListPatch
  • security.netapp.com https://security.netapp.com/advisory/ntap-20230324-0001/
    Third Party Advisory

Remediation

  • dev.gnupg.org https://dev.gnupg.org/D556
    Patch
  • dev.gnupg.org https://dev.gnupg.org/T5993
    Patch
  • marc.info https://marc.info/?l=oss-security&m=165696590211434&w=4
    Mailing ListPatch