CVE-2022-3602 — OpenSSL X.509 punycode buffer overflow
4-byte stack buffer overflow in OpenSSL 3.0's X.509 email-address punycode decoder, triggered by parsing an attacker-controlled certificate with a crafted Name Constraints extension. Stack canaries on most modern Linux distros downgrade this from RCE to DoS in practice, but the original disclosure was rated Critical before mitigations were assessed.
TL;DR
- Originally rated Critical, downgraded to High after stack-canary mitigations were factored in.
- Affected only OpenSSL 3.0.x. The widely-deployed 1.1.x branch was never vulnerable.
- Triggered by parsing a malicious certificate during TLS handshake — an attacker needs you to validate their cert.
- Stable distros shipping OpenSSL 1.1.x (Debian 11, Ubuntu 20.04) were never exposed.
- Bundled fix with CVE-2022-3786 (companion 1-byte overflow) — both patched in OpenSSL 3.0.7.
At a glance
| CVE ID | CVE-2022-3602 |
|---|---|
| Severity | High (CVSS 7.5) · originally rated Critical pre-mitigations |
| CVSS 3.1 score | 7.5 |
| CVSS vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CWE | CWE-787 (Out-of-bounds Write) |
| EPSS (probability of exploit, 30-day) | Low (~0.05) |
| CISA KEV listed | No |
| Published | 2022-11-01 |
| Last updated (NVD) | 2022-11-08 |
Affected versions and fix paths
Per-distro fix versions for the packages most homelab fleets run. Match the installed version on your host against the vulnerable column; upgrade to the fixed column.
| Package / distro | Vulnerable | Fixed in |
|---|---|---|
| OpenSSL upstream | 3.0.0 — 3.0.6 | 3.0.7 |
| Ubuntu 22.04 LTS | 3.0.2-0ubuntu1.6 and earlier | 3.0.2-0ubuntu1.7 |
| Debian 12 (Bookworm) | Not affected (ships 3.0.11 or later by default) | n/a |
| Debian 11 (Bullseye) | Not affected (ships 1.1.1n) | n/a |
| Rocky Linux 9 / RHEL 9 | Not affected (3.0.1 backports were patched) | openssl-3.0.1-43.el9_0 |
| AlmaLinux 9 | Not affected | openssl-3.0.1-43.el9_0 |
| OpenSSL 1.1.x | Not affected (different code path) | n/a |
Quick scan check
Run this on each homelab host to determine the installed version. Compare against the table above.
openssl version
# Affected: 3.0.0 through 3.0.6
# Safe: 1.1.x or 3.0.7+Most stable Linux distros either shipped a 3.0.x < 3.0.7 and patched it via security update, or never shipped a vulnerable 3.0.x at all. Run the version check and compare against the per-distro fix table.
What Noxen does about this
Noxen inventories openssl / libssl3 package versions across your fleet and matches them against the live feed — including the linked CVE-2022-3786, which shipped in the same patch.
The deep-dive
For the full narrative — disclosure timeline, exploit mechanics, defence-in-depth context, and homelab-shape risk assessment — read CVE-2022-3602 and CVE-2022-3786 in your homelab on the Noxen blog.
Authoritative sources
See what Noxen does about CVEs like this → More on CVE management →