CVE-2022-28886 is a Denial-of-Service (DoS) vulnerability affecting all versions of F-Secure and WithSecure Endpoint Protection products running on 32-bit Windows operating systems, as well as F-Secure Linux Security 32 and F-Secure Internet Gatekeeper. The vulnerability arises from the aerdl.so (Linux) and aerdl.dll (Windows) components responsible for unpacking Portable Executable (PE) files. Specifically, these components may enter an infinite loop when processing certain crafted PE files, causing the scanning engine to crash. This infinite loop condition is classified under CWE-835 (Loop with Unreachable Exit Condition), indicating a logic flaw that prevents normal termination of the loop. The vulnerability requires high privileges (PR:H) and user interaction (UI:R) to be exploited, with network attack vector (AV:N), meaning the attack can be performed remotely over the network. The CVSS 3.1 base score is 4.3, indicating a medium severity level. The impact primarily affects availability, as the scanning engine crash can disrupt endpoint protection services, potentially leaving systems unprotected against other threats. Confidentiality and integrity impacts are rated low. No known exploits are reported in the wild, and no patches or mitigations have been explicitly linked in the provided information. The vulnerability affects legacy 32-bit systems, which are less common but still present in some enterprise environments. The infinite loop in unpacking PE files could be triggered by maliciously crafted files delivered via email, downloads, or network shares, causing denial of service on endpoint protection components and possibly leading to gaps in malware detection and response.

For European organizations, this vulnerability poses a risk primarily to the availability of endpoint protection on affected 32-bit Windows and Linux systems. If exploited, the scanning engine crash could disable or degrade the effectiveness of F-Secure and WithSecure security products, increasing exposure to malware and other cyber threats. Organizations relying on these products for critical infrastructure protection, especially those with legacy 32-bit systems, may experience interruptions in security monitoring and incident response capabilities. This could be particularly impactful in sectors with high security requirements such as finance, healthcare, government, and critical infrastructure. The medium severity rating and requirement for high privileges and user interaction reduce the likelihood of widespread exploitation; however, targeted attacks against vulnerable systems remain a concern. The lack of known exploits in the wild suggests limited active exploitation but does not eliminate future risk. European organizations with mixed architectures that include legacy 32-bit endpoints should assess their exposure and consider the potential operational impact of endpoint protection failures.

1. Inventory and identify all systems running 32-bit Windows and Linux versions of F-Secure and WithSecure endpoint products to assess exposure. 2. Where possible, upgrade affected systems to 64-bit operating systems and endpoint protection versions, as the vulnerability specifically affects 32-bit versions. 3. Implement strict access controls to limit high privilege accounts and reduce the risk of exploitation requiring elevated privileges. 4. Educate users to avoid opening or executing suspicious PE files, especially those received from untrusted sources, to reduce the likelihood of triggering the vulnerability. 5. Monitor endpoint protection logs and system stability for signs of scanning engine crashes or abnormal behavior that could indicate exploitation attempts. 6. Engage with F-Secure/WithSecure support channels to obtain any available patches or workarounds, even if not publicly linked, and apply them promptly. 7. Employ network-level protections such as email filtering, sandboxing, and intrusion detection systems to block or detect malicious PE files before reaching endpoints. 8. Develop incident response plans that include procedures for restoring endpoint protection services quickly in case of a DoS event. 9. Regularly update all security software and operating systems to reduce exposure to known vulnerabilities.