Updated: 2025-08-20 03:09:03.448649
Description:
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | CRITICAL | 9.8 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Alpine Linux 3.22 | php | 7.3 | 9.8 | CRITICAL | Released | CLSA-2026:1771245338 | 2026-02-16 14:41:20 | Not affected: Python addressed CVE-2022-37454 by porting the upstream XKCP SHA‑3 fix in 3.9.16, so... |
| Alpine Linux 3.22 | php | 7.4 | 9.8 | CRITICAL | Not Vulnerable | 2026-01-23 13:40:06 | Not affected: Python addressed CVE-2022-37454 by porting the upstream XKCP SHA‑3 fix in 3.9.16, so... | |
| Alpine Linux 3.22 | php | 8.1 | 9.8 | CRITICAL | Not Vulnerable | 2026-02-18 11:30:42 | Not affected: Python addressed CVE-2022-37454 by porting the upstream XKCP SHA‑3 fix in 3.9.16, so... | |
| Debian 10 | php | 8.0 | 9.8 | CRITICAL | Not Vulnerable | 2025-05-29 03:54:29 | ||
| Debian 10 | php | 5.6 | 9.8 | CRITICAL | Not Vulnerable | 2025-05-29 03:54:30 | ||
| Debian 10 | php | 7.3 | 9.8 | CRITICAL | Released | 2025-05-29 03:54:29 | ||
| Debian 10 | php | 8.2 | 9.8 | CRITICAL | Not Vulnerable | 2025-05-29 03:54:29 | ||
| Debian 10 | php | 8.1 | 9.8 | CRITICAL | Not Vulnerable | 2025-05-29 03:54:29 | ||
| Debian 10 | php | 7.0 | 9.8 | CRITICAL | Not Vulnerable | 2025-05-29 03:54:30 | ||
| Debian 10 | php | 7.1 | 9.8 | CRITICAL | Not Vulnerable | 2025-05-29 03:54:29 |