CVE-2022-3466 | Cri-o: security regression of cve-2022-27652

The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600. This issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details, see https://access.redhat.com/security/cve/CVE-2022-27652.

Published: 2023-09-15 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2022-3466 is rated Low Risk (23.6/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.04%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2022-3466

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2023-09-16 0.04%

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2022-3466

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.8 3.1 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
 1.3 3.4 [email protected]
5.3 3.1 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
 1.8 3.4 [email protected]

Weakness enumeration for CVE-2022-3466

OS Trackers for CVE-2022-3466

vendor priority summary link
redhat low https://access.redhat.com/security/cve/CVE-2022-3466
suse medium CVE-2022-3466 severity moderate: SUSE including 2 source package names (cri-o, cri-o-kubeadm-criconfig), 2 product×package rows across 1 product lines (SUSE CaaS Platform 4.0): Will Not Fix 2. https://www.suse.com/security/cve/CVE-2022-3466/
ubuntu medium CVE-2022-3466 medium priority: Ubuntu including 1 source packages (cri-o), 5 status rows across 5 suites (focal, jammy, noble, oracular, upstream): DNE 4, needs-triage 1. https://ubuntu.com/security/CVE-2022-3466

Affected software / configurations for CVE-2022-3466

Vendor Product Version Raw CPE
kubernetes cri-o cpe:2.3:a:kubernetes:cri-o:-:*:*:*:*:*:*:*
redhat openshift_container_platform 3.11 cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
redhat openshift_container_platform 4.12 cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*

References for CVE-2022-3466

cvelogic Threat Intelligence