Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-41860

In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.

Published

2023-01-17T18:15:11.387

Last Modified

2025-11-03T20:15:57.650

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-476

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	freeradius	freeradius	≤ 3.0.25	Yes

References

https://freeradius.org/security/ Patch, Vendor Advisory ([email protected])
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a Patch, Third Party Advisory ([email protected])
https://freeradius.org/security/ Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2025/06/msg00030.html (af854a3a-2127-422b-91ae-364da2661108)