Vulnerability Report

CVE-2022-3786

Title: Nodejs Node.Js Memory Corruption

Memory Corruption

Proof Of Concept

PoC Available for CVE-2022-3786

CWE Category CWE-120

Published Date Nov 01, 2022

Modified Date Apr 14, 2026

Exploit Status Available

Score 7.5 CVSS v3.1

Exploit Probability (EPSS)

27.30%

Vulnerability Summary

CVE-2022-3786: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

Impacted Vendors

Reference Links

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a https://www.openssl.org/news/secadv/20221101.txt https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00789.html https://www.kb.cert.org/vuls/id/794340 https://www.openssl.org/news/secadv/20221101.txt

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v3.1

Source Entity 134c704f-9b21-4f2e-91b3-4a467353bcc0

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2022-3786 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/NCSC-NL/OpenSSL-2022

View Code

GitHub https://github.com/rbowes-r7/cve-2022-3602-and-cve-2022-3786-openssl-poc

View Code

GitHub https://github.com/WhatTheFuzz/openssl-fuzz

View Code

April 14, 2026 MODIFIED

Vulnerability data updated via NVD.

November 04, 2025 MODIFIED

Vulnerability data or affected products updated.

November 01, 2022 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Stack

No specific products linked.