CVE-2022-39368 | Californium Failing DTLS handshakes causes Data Loss due to throttling blocking processing of records

Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Service. Failing handshakes don't cleanup counters for throttling, causing the threshold to be reached without being released again. This results in permanently dropping records. The issue was reported for certificate based handshakes, but may also affect PSK based handshakes. It generally affects client and server as well. This issue is patched in version 3.7.0 and 2.7.4. There are no known workarounds. main: commit 726bac57659410da463dcf404b3e79a7312ac0b9 2.7.x: commit 5648a0c27c2c2667c98419254557a14bac2b1f3f

Published: 2022-11-09 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2022-39368 is rated Moderate Risk (47.8/100): CVSS High severity, with low exploitation likelihood (EPSS 0.55%). Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2022-39368

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.10% 0.55% +0.45%
2 2025-11-21 0.27% 0.10% -0.17%
3 2025-11-18 0.27%

Full EPSS history (7 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2022-39368

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.2 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 4.2 [email protected]
8.2 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 4.2 [email protected]

Weakness enumeration for CVE-2022-39368

GitHub Security Advisory for CVE-2022-39368

GHSA-p72g-cgh9-ghjg · Severity: high · Ecosystem: maven — Failing DTLS handshakes may cause throttling to block processing of records

OS Trackers for CVE-2022-39368

vendor priority summary link
redhat medium https://access.redhat.com/security/cve/CVE-2022-39368

Affected software / configurations for CVE-2022-39368

Vendor Product Version Raw CPE
eclipse californium < 2.7.4 cpe:2.3:a:eclipse:californium:*:*:*:*:*:*:*:*
eclipse californium >= 3.0.0, < 3.7.0 cpe:2.3:a:eclipse:californium:*:*:*:*:*:*:*:*

References for CVE-2022-39368

cvelogic Threat Intelligence