Vulnerability Details : CVE-2022-41860
In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.
Products affected by CVE-2022-41860
- cpe:2.3:a:freeradius:freeradius:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41860
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41860
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-04-07 |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-41860
-
The product dereferences a pointer that it expects to be valid but is NULL.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2022-41860
-
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
it's probably wrong to be completely retarded. Let's fix that. · FreeRADIUS/freeradius-server@f1cdbb3 · GitHubPatch;Third Party Advisory
-
https://freeradius.org/security/
ReleasesPatch;Vendor Advisory
Jump to