CVE-2022-2576
CVE-2022-2576 is a high-severity vulnerability in Eclipse Californium with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-408.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 1% (40th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-408
- Affected product: Eclipse Californium
- Published:
- Last modified:
Description
In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.
Frequently asked questions
- What is CVE-2022-2576?
- In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.
- How severe is CVE-2022-2576?
- CVE-2022-2576 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2022-2576 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (40th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-2576?
- CVE-2022-2576 affects Eclipse Californium. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-2576?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-2576 published?
- CVE-2022-2576 was published on 2022-07-29 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:eclipse:californium:*:*:*:*:*:*:*:*
More vulnerabilities in Eclipse Californium
- CVE-2022-39368 — High (CVSS 8.2): Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In…
- CVE-2021-34433 — High (CVSS 7.5): In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS…
- CVE-2020-27222 — High (CVSS 7.5): In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails,…
All CVEs affecting Eclipse Californium →
Other CWE-408 vulnerabilities
- CVE-2026-41405 — High (CVSS 7.5): OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing…
- CVE-2020-1657 — High (CVSS 7.5): On SRX Series devices, a vulnerability in the key-management-daemon (kmd) daemon of Juniper Networks Junos OS allows an…
- CVE-2026-3592 — Medium (CVSS 5.3): BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a…
- CVE-2026-41374 — Medium (CVSS 5.3): OpenClaw before 2026.3.31 performs Discord audio preflight transcription before validating member authorization,…
- CVE-2026-41331 — Medium (CVSS 5.3): OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that…