CVE-2022-37454: A Buffer Overflow Vulnerability Affecting Implementations of SHA-3 (G22a)
This talk describes a buffer overflow vulnerability in the SHA-3 implementation submitted to NIST, which remained undetected for well over a decade. The vulnerability affects several widely-used software projects that have integrated variants of this code, including the Python and PHP scripting languages. It allows attacker-controlled values to be XORed into memory, thereby making many standard protection measures against buffer overflows (e.g., canary values) completely ineffective. A proof-of-concept that allows arbitrary code execution is provided.