CVE-2022-24809

Name: CVE-2022-24809
Creator: NVD / NIST
Published: 2024-04-16T20:15:09.033+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 1.10%

Last modified Jun 17, 2026

CVE-2022-24809 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-only credentials can use a malformed OID in a `GET-NEXT` to the `nsVacmAccessTable` to cause a NULL pointer dereference. EPSS estimates a 1.10% chance of exploitation in the next 30 days.

Description

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-only credentials can use a malformed OID in a `GET-NEXT` to the `nsVacmAccessTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

1.10%

61.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Net-Snmp	Net-Snmp	< 5.9.2
Fedoraproject	Fedora	36
Debian	Debian Linux	10.0
Debian	Debian Linux	11.0
Redhat	Enterprise Linux	9.0
Redhat	Enterprise Linux Eus	9.2
Redhat	Enterprise Linux Eus	9.4
Redhat	Enterprise Linux For Arm 64	9.0
Redhat	Enterprise Linux For Arm 64	9.2_aarch64
Redhat	Enterprise Linux For Arm 64	9.4_aarch64
Redhat	Enterprise Linux For Arm 64 Eus	9.4_aarch64
Redhat	Enterprise Linux For Ibm Z Systems	9.0
Redhat	Enterprise Linux For Ibm Z Systems	9.2_s390x
Redhat	Enterprise Linux For Ibm Z Systems	9.4_s390x
Redhat	Enterprise Linux For Ibm Z Systems Eus	9.4_s390x
Redhat	Enterprise Linux For Power Little Endian	9.0
Redhat	Enterprise Linux For Power Little Endian Eus	9.2_ppc64le
Redhat	Enterprise Linux For Power Little Endian Eus	9.4_ppc64le
Redhat	Enterprise Linux Server Aus	9.2
Redhat	Enterprise Linux Server Aus	9.4
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	9.2_ppc64le
Redhat	Enterprise Linux Server Update Services For Sap Solutions	9.2
Redhat	Enterprise Linux Update Services For Sap Solutions	9.4

References

https://bugzilla.redhat.com/show_bug.cgi?id=2103225Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2105242Third Party Advisory
https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775Patch
https://lists.debian.org/debian-lts-announce/2022/08/msg00020.htmlThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/Product
https://security.gentoo.org/glsa/202210-29Third Party Advisory
https://www.debian.org/security/2022/dsa-5209Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2103225Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2105242Third Party Advisory
https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775Patch
https://lists.debian.org/debian-lts-announce/2022/08/msg00020.htmlThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/Product
https://security.gentoo.org/glsa/202210-29Third Party Advisory
https://www.debian.org/security/2022/dsa-5209Third Party Advisory

Timeline

Published: Apr 16, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2022-24809?

How severe is CVE-2022-24809?

CVE-2022-24809 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 1.10% probability of exploitation in the next 30 days.

How do I fix CVE-2022-24809?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-24809?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST