CVE-2022-0778 | Infinite loop in BN_mod_sqrt() reachable when parsing certificates

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Published: 2022-03-15 Last update: 2026-04-14 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2022-0778 is rated High Risk (69.8/100): CVSS High severity, with high exploitation likelihood (EPSS 70.56%, 99th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +63.02% over the last day, indicating growing attacker interest. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2022-0778

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 7.54% 70.56% +63.02%
2 2026-06-04 6.86% 7.54% +0.68%
3 2026-05-22 6.86%

Full EPSS history (124 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2022-0778

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 3.6 [email protected]
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 2.9 [email protected]

Weakness enumeration for CVE-2022-0778

GitHub Security Advisory for CVE-2022-0778

GHSA-x3mh-jvjw-3xwx · Severity: high · Ecosystem: rust — openssl-src's infinite loop in `BN_mod_sqrt()` reachable when parsing certificates

OS Trackers for CVE-2022-0778

vendor priority summary link
alpine CVE-2022-0778: 7 source package rows (libressl, libretls, …); 91 state rows across 15 repos (3.12-main, 3.17-community, 3.17-main, 3.18-community, 3.18-main, 3.19-community, 3.19-main, 3.20-community, 3.20-main, 3.21-community, 3.21-main, 3.22-community, 3.22-main, edge-community, edge-main); fixed 42, open 49. https://security.alpinelinux.org/vuln/CVE-2022-0778
debian not yet assigned CVE-2022-0778 not yet assigned priority: Debian including 1 source packages (openssl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2022-0778
gentoo low CVE-2022-0778: 2 GLSA(s) (202210-02, 202405-29), 2 atom(s) (dev-libs/openssl, net-libs/nodejs); latest impact low. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2022-0778
redhat high https://access.redhat.com/security/cve/CVE-2022-0778
suse high CVE-2022-0778 severity important: SUSE including 444 source package names (1.1.1.0.1.5.568:libopenssl1_1-1.1.0i-14.27.1, 1.1.1.0.1.5.568:openssl-1_1-1.1.0i-14.27.1, …), 979 product×package rows across 133 product lines (Container caasp/v4/cilium, Container caasp/v4/cilium-operator, … (133 product lines)): Fixed 727, Known Affected 181, Known Not Affected 71. https://www.suse.com/security/cve/CVE-2022-0778/
ubuntu high CVE-2022-0778 high priority: Ubuntu including 4 source packages (edk2, nodejs, openssl, openssl1.0), 56 status rows across 14 suites (bionic, focal, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 20, released 17, DNE 13, needs-triage 3, needed 2, ignored 1. https://ubuntu.com/security/CVE-2022-0778

Affected software / configurations for CVE-2022-0778

Vendor Product Version Raw CPE
openssl openssl >= 1.0.2, < 1.0.2zd cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
openssl openssl >= 1.1.0, < 1.1.1n cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
openssl openssl >= 3.0.0, < 3.0.2 cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
debian debian_linux 9.0 cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debian debian_linux 10.0 cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debian debian_linux 11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
netapp cloud_volumes_ontap_mediator cpe:2.3:a:netapp:cloud_volumes_ontap_mediator:-:*:*:*:*:*:*:*
netapp clustered_data_ontap cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
netapp clustered_data_ontap_antivirus_connector cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*
netapp santricity_smi-s_provider cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*
netapp storagegrid cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*
netapp a250_firmware cpe:2.3:o:netapp:a250_firmware:-:*:*:*:*:*:*:*
netapp 500f_firmware cpe:2.3:o:netapp:500f_firmware:-:*:*:*:*:*:*:*
fedoraproject fedora 34 cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
fedoraproject fedora 36 cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
tenable nessus < 8.15.4 cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*
tenable nessus >= 10.0.0, < 10.1.2 cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*
mariadb mariadb >= 10.2.0, < 10.2.42 cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
mariadb mariadb >= 10.3.0, < 10.3.33 cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
mariadb mariadb >= 10.4.0, < 10.4.23 cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
mariadb mariadb >= 10.5.0, < 10.5.14 cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
mariadb mariadb >= 10.6.0, < 10.6.6 cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
mariadb mariadb >= 10.7.0, < 10.7.2 cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
nodejs node.js >= 12.0.0, <= 12.12.0 cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
nodejs node.js >= 12.13.0, < 12.22.11 cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
nodejs node.js > 14.0.0, <= 14.14.0 cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
nodejs node.js >= 14.15.0, < 14.19.1 cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
nodejs node.js > 16.0.0, <= 16.12.0 cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
nodejs node.js >= 16.13.0, < 16.14.2 cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
nodejs node.js > 17.0.0, < 17.7.2 cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

References for CVE-2022-0778

URL Tags
http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2022/May/33 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/35 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/38 Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf Third Party Advisory
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002 Third Party Advisory
https://security.gentoo.org/glsa/202210-02 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220321-0002/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20220429-0005/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
https://support.apple.com/kb/HT213255 Third Party Advisory
https://support.apple.com/kb/HT213256 Third Party Advisory
https://support.apple.com/kb/HT213257 Third Party Advisory
https://www.debian.org/security/2022/dsa-5103 Third Party Advisory
https://www.openssl.org/news/secadv/20220315.txt Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory
https://www.tenable.com/security/tns-2022-06 Third Party Advisory
https://www.tenable.com/security/tns-2022-07 Third Party Advisory
https://www.tenable.com/security/tns-2022-08 Third Party Advisory
https://www.tenable.com/security/tns-2022-09 Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-019200.html
https://cert-portal.siemens.com/productcert/html/ssa-028723.html
https://cert-portal.siemens.com/productcert/html/ssa-108696.html
https://cert-portal.siemens.com/productcert/html/ssa-398330.html
https://cert-portal.siemens.com/productcert/html/ssa-712929.html
cvelogic Threat Intelligence