CVE-2022-3786 — OpenSSL X.509 punycode 1-byte overflow
Companion to CVE-2022-3602 — a 1-byte stack buffer overflow in OpenSSL 3.0's X.509 email-address punycode decoder. Same trigger (malicious certificate during TLS validation), same patch (OpenSSL 3.0.7), same mitigations (stack canaries downgrade RCE to DoS). Was originally co-disclosed under the same Critical pre-rating.
TL;DR
- Companion to CVE-2022-3602 — same trigger, same fix, same mitigations.
- 1-byte overflow rather than 4-byte; bundled in the same OpenSSL 3.0.7 release.
- If your scan finds CVE-2022-3602 vulnerable, expect to find this one too.
- Stable distros that shipped 1.1.x (Debian 11, Ubuntu 20.04) were never exposed to either.
At a glance
| CVE ID | CVE-2022-3786 |
|---|---|
| Severity | High (CVSS 7.5) · companion to CVE-2022-3602 |
| CVSS 3.1 score | 7.5 |
| CVSS vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CWE | CWE-120 (Buffer Copy without Checking Size of Input) |
| EPSS (probability of exploit, 30-day) | Low (~0.05) |
| CISA KEV listed | No |
| Published | 2022-11-01 |
| Last updated (NVD) | 2022-11-08 |
Affected versions and fix paths
Per-distro fix versions for the packages most homelab fleets run. Match the installed version on your host against the vulnerable column; upgrade to the fixed column.
| Package / distro | Vulnerable | Fixed in |
|---|---|---|
| OpenSSL upstream | 3.0.0 — 3.0.6 | 3.0.7 |
| Ubuntu 22.04 LTS | 3.0.2-0ubuntu1.6 and earlier | 3.0.2-0ubuntu1.7 |
| Debian 12 (Bookworm) | Not affected | n/a |
| Rocky Linux 9 / RHEL 9 | openssl-3.0.1 (pre-backport) | openssl-3.0.1-43.el9_0 |
| AlmaLinux 9 | Not affected after backport | openssl-3.0.1-43.el9_0 |
| OpenSSL 1.1.x | Not affected | n/a |
Quick scan check
Run this on each homelab host to determine the installed version. Compare against the table above.
openssl version
# Same as CVE-2022-3602: affected 3.0.0—3.0.6
# The two CVEs are bundled in the same patch.If you've patched for CVE-2022-3602, you've patched for this too. Both ship in the same OpenSSL 3.0.7 release.
What Noxen does about this
Same probe as CVE-2022-3602 — Noxen's package-manifest scan flags both CVEs from a single OpenSSL version comparison.
The deep-dive
For the full narrative — disclosure timeline, exploit mechanics, defence-in-depth context, and homelab-shape risk assessment — read CVE-2022-3602 and CVE-2022-3786 in your homelab on the Noxen blog.
Authoritative sources
See what Noxen does about CVEs like this → More on CVE management →