CVE-2022-3236

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 4 articles

VulnLookup ↗ NVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

92.84%

probability

This CVE has a 92.84% probability of being exploited in the next 30 days.

0% Top 99.8th percentile of all CVEs 100%

CVSS score unavailable

Neither CIRCL nor NVD returned a CVSS score for this CVE. View on VulnerabilityLookup ↗

Description

Project Zero

Code injection allowing RCE

Attack Intelligence

CWE-664 · Improper Control of a Resource Through its Lifetime CWE-707 · Improper Neutralization CWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-913 · Improper Control of Dynamically-Managed Code Resources CWE-94 · Code Injection

Google Project Zero

Discovered

Sept. 16, 2022

Patched

Sept. 23, 2022

Reported by

Sophos X-Ops

Root Cause Analysis

???

October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical.

Qualys Oct 11, 2022

Security Advisory 2022-065

CERT-EU Sep 26, 2022

Qualys Research Team: Threat Thursdays, September 2022

Qualys Sep 29, 2022

Chinese Hackers Use GHOSTSPIDER Malware to Hack Telecoms Across 12+ Countries

TheHackerNews

Signal Intelligence

Confidenceⓘ

92%

EPSS 92.84%

Mentions 4

Last Seen Oct 11, 2022

CNA Information

Analyst Note

This CVE is confirmed by multiple credible sources including Google Project Zero and CERT-EU, with a critical CVSS score of 9.8 reflecting remote code execution impact in Sophos Firewall. The presence of official security advisories from established authorities provides strong corroboration of the vulnerability's authenticity and severity.