Vulnerability Details : CVE-2022-3219
GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
Products affected by CVE-2022-3219
- cpe:2.3:a:gnupg:gnupg:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-3219
0.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 1 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-3219
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
1.8
|
1.4
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-03-12 |
|
3.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
1.8
|
1.4
|
NIST |
CWE ids for CVE-2022-3219
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2022-3219
-
https://dev.gnupg.org/D556
⚙ D556 Disallow compressed signatures and certificatesPatch
-
https://bugzilla.redhat.com/show_bug.cgi?id=2127010
2127010 – (CVE-2022-3219) CVE-2022-3219 gnupg: denial of service issue (resource consumption) using compressed packetsIssue Tracking;Third Party Advisory
-
https://dev.gnupg.org/T5993
⚓ T5993 gpg should reject compressed packets outside of messagesPatch
-
https://access.redhat.com/security/cve/CVE-2022-3219
CVE-2022-3219- Red Hat Customer PortalThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20230324-0001/
CVE-2022-3219 GnuPG Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://marc.info/?l=oss-security&m=165696590211434&w=4
'[oss-security] Re: Denial of service in GnuPG' - MARCMailing List;Patch
Jump to