Updated: 2025-08-20 03:09:03.448649
Description:
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | CRITICAL | 9.8 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Alpine Linux 3.22 | python | 3.9 | 9.8 | CRITICAL | Not Vulnerable | 2026-02-02 14:29:54 | Not affected: Python addressed CVE-2022-37454 by porting the upstream XKCP SHA‑3 fix in 3.9.16, so... | |
| Alpine Linux 3.22 | python | 3.7 | 9.8 | CRITICAL | Already Fixed | 2026-02-16 14:40:41 | Not affected: Python addressed CVE-2022-37454 by porting the upstream XKCP SHA‑3 fix in 3.9.16, so... | |
| Alpine Linux 3.22 | python | 3.8 | 9.8 | CRITICAL | Not Vulnerable | 2026-02-07 04:07:45 | Not affected: Python addressed CVE-2022-37454 by porting the upstream XKCP SHA‑3 fix in 3.9.16, so... | |
| Alpine Linux 3.22 | python | 3.6 | 9.8 | CRITICAL | Released | CLSA-2026:1769524909 | 2026-01-27 16:43:35 | Not affected: Python addressed CVE-2022-37454 by porting the upstream XKCP SHA‑3 fix in 3.9.16, so... |
| Debian 10 | python | 3.6 | 9.8 | CRITICAL | Released | CLSA-2025:1759247273 | 2025-10-01 01:28:07 | |
| Debian 11 | python | 3.6 | 9.8 | CRITICAL | Released | CLSA-2025:1759247378 | 2025-10-01 01:28:06 | |
| Debian 12 | python | 3.9 | 9.8 | CRITICAL | Not Vulnerable | 2025-12-04 16:07:23 | Not affected: Python addressed CVE-2022-37454 by porting the upstream XKCP SHA‑3 fix in 3.9.16, so... | |
| Debian 12 | python | 3.7 | 9.8 | CRITICAL | Already Fixed | 2025-11-10 21:42:24 | Not affected: Python addressed CVE-2022-37454 by porting the upstream XKCP SHA‑3 fix in 3.9.16, so... | |
| Debian 12 | python | 3.6 | 9.8 | CRITICAL | Released | CLSA-2025:1759247489 | 2025-10-01 01:28:05 | Not affected: Python addressed CVE-2022-37454 by porting the upstream XKCP SHA‑3 fix in 3.9.16, so... |
| Debian 12 | python | 3.8 | 9.8 | CRITICAL | Not Vulnerable | 2025-11-11 19:00:47 | Not affected: Python addressed CVE-2022-37454 by porting the upstream XKCP SHA‑3 fix in 3.9.16, so... |