CVE-2022-1473 | Resource leakage when decoding certificates and keys

The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

Published: 2022-05-03 Last update: 2025-05-05 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2022-1473 is rated Moderate Risk (47.2/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.28%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2022-1473

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-21 0.97% 0.28% -0.68%
2 2025-11-18 0.27% 0.97% +0.70%
3 2025-09-03 0.27%

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2022-1473

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 3.6 [email protected]
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 3.6 134c704f-9b21-4f2e-91b3-4a467353bcc0
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 2.9 [email protected]

Weakness enumeration for CVE-2022-1473

GitHub Security Advisory for CVE-2022-1473

GHSA-g323-fr93-4j3c · Severity: high · Ecosystem: rust — Resource leakage when decoding certificates and keys

OS Trackers for CVE-2022-1473

vendor priority summary link
alpine CVE-2022-1473: 2 source package rows (openssl, openssl3); 18 state rows across 7 repos (3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 8, open 10. https://security.alpinelinux.org/vuln/CVE-2022-1473
debian unimportant CVE-2022-1473 unimportant priority: Debian including 1 source packages (openssl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2022-1473
gentoo normal CVE-2022-1473: 1 GLSA(s) (202210-02), 1 atom(s) (dev-libs/openssl); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2022-1473
redhat medium https://access.redhat.com/security/cve/CVE-2022-1473
suse high CVE-2022-1473 severity important: SUSE including 69 source package names (compat-openssl098, libopenssl-1_0_0-devel, …), 407 product×package rows across 59 product lines (HPE Helion OpenStack 8, SUSE CaaS Platform 4.0, … (59 product lines)): Known Not Affected 355, Fixed 52. https://www.suse.com/security/cve/CVE-2022-1473/
ubuntu low CVE-2022-1473 low priority: Ubuntu including 4 source packages (edk2, nodejs, openssl, openssl1.0), 56 status rows across 14 suites (bionic, focal, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 29, DNE 13, released 10, needs-triage 3, needed 1. https://ubuntu.com/security/CVE-2022-1473

Affected software / configurations for CVE-2022-1473

Vendor Product Version Raw CPE
openssl openssl >= 3.0.0, < 3.0.3 cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
netapp active_iq_unified_manager cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*
netapp clustered_data_ontap cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
netapp clustered_data_ontap_antivirus_connector cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*
netapp santricity_smi-s_provider cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*
netapp smi-s_provider cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*
netapp snapmanager cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:hyper-v:*:*
netapp solidfire\,_enterprise_sds_\&_hci_storage_node cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*
netapp solidfire_\&_hci_management_node cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*
netapp a700s_firmware cpe:2.3:o:netapp:a700s_firmware:-:*:*:*:*:*:*:*
netapp h300s_firmware cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
netapp h500s_firmware cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
netapp h700s_firmware cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
netapp h300e_firmware cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
netapp h500e_firmware cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
netapp h700e_firmware cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
netapp h410s_firmware cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
netapp aff_8300_firmware cpe:2.3:o:netapp:aff_8300_firmware:-:*:*:*:*:*:*:*
netapp fas_8300_firmware cpe:2.3:o:netapp:fas_8300_firmware:-:*:*:*:*:*:*:*
netapp aff_8700_firmware cpe:2.3:o:netapp:aff_8700_firmware:-:*:*:*:*:*:*:*
netapp fas_8700_firmware cpe:2.3:o:netapp:fas_8700_firmware:-:*:*:*:*:*:*:*
netapp aff_a400_firmware cpe:2.3:o:netapp:aff_a400_firmware:-:*:*:*:*:*:*:*
netapp fabric-attached_storage_a400_firmware cpe:2.3:o:netapp:fabric-attached_storage_a400_firmware:-:*:*:*:*:*:*:*
netapp a250_firmware cpe:2.3:o:netapp:a250_firmware:-:*:*:*:*:*:*:*
netapp aff_500f_firmware cpe:2.3:o:netapp:aff_500f_firmware:-:*:*:*:*:*:*:*
netapp fas_500f_firmware cpe:2.3:o:netapp:fas_500f_firmware:-:*:*:*:*:*:*:*

References for CVE-2022-1473

cvelogic Threat Intelligence