{"id":"CVE-2022-2576","details":"In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.","aliases":["GHSA-qq3j-44gw-cf6r"],"modified":"2026-05-18T05:53:21.151211554Z","published":"2022-07-29T13:20:10Z","database_specific":{"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"last_affected":"2.0.0"},{"last_affected":"2.7.2"},{"last_affected":"3.0.0"},{"last_affected":"3.5.0"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/2xxx/CVE-2022-2576.json","cwe_ids":["CWE-408"],"cna_assigner":"eclipse"},"references":[{"type":"WEB","url":"https://bugs.eclipse.org/580018"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/2xxx/CVE-2022-2576.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2576"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse-californium/californium","events":[{"introduced":"15a27a972d7b4dd8d28d717cedfd01e6bf860e38"},{"last_affected":"7eacd991054cff2cf741b6bf44c06bbe7b2d4c91"},{"introduced":"bb400ca2b6eeffa4a1d1ec3005a7391625c4ee20"},{"last_affected":"7ba3019079dcfb3484eeda7a23c5ede1b63ab48c"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"2.0.0"},{"last_affected":"2.7.2"},{"introduced":"3.0.0"},{"last_affected":"3.5.0"}],"cpe":"cpe:2.3:a:eclipse:californium:*:*:*:*:*:*:*:*"}}],"versions":["3.5.0","2.7.2","3.4.0","2.7.1","3.3.0","3.2.0","3.1.0","2.7.0","2.6.6","3.0.0","2.6.5","2.6.4","2.6.3","2.6.2","2.6.1","2.6.0","2.5.0","2.4.0","2.3.0","2.3.0-RC2","2.3.0-RC1","2.2.0","2.2.0-RC1","2.1.0","2.1.0-RC2","2.1.0-RC1","2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2576.json"}}],"schema_version":"1.7.5"}