CVE-2022-28887 is a medium-severity Denial-of-Service (DoS) vulnerability affecting multiple F-Secure and WithSecure endpoint protection products across Windows, Mac, and Linux platforms, including F-Secure Linux Security (both 32-bit and 64-bit), F-Secure Atlant, and F-Secure Internet Gatekeeper. The vulnerability arises from a flaw in the aerdl.dll unpacker handler function within the scanning engine. Specifically, when processing certain inputs, this function can crash, leading to the scanning engine itself crashing. This crash results in a denial of service, temporarily disabling the endpoint protection capabilities of the affected product. The vulnerability is classified under CWE-404, which pertains to improper resource shutdown or release, indicating that the crash likely stems from mishandling of resources during unpacking operations. The CVSS v3.1 base score is 4.3 (medium), with vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L, meaning the attack requires network access, low attack complexity, high privileges, and user interaction, and impacts confidentiality, integrity, and availability to a limited extent. No known exploits are reported in the wild, and no patches have been linked in the provided data, suggesting that mitigation may rely on vendor updates or workarounds. The vulnerability affects all versions of the listed products, indicating a broad exposure for users of these endpoint solutions.

For European organizations, this vulnerability poses a risk of temporary disruption of endpoint protection services. Since the scanning engine can crash upon processing crafted inputs, attackers could exploit this to disable or degrade antivirus and endpoint security functions, potentially allowing malware or other threats to bypass detection during the downtime. This is particularly concerning for critical infrastructure, financial institutions, and enterprises with high security requirements that rely on F-Secure or WithSecure products for threat detection and prevention. The requirement for high privileges and user interaction limits the ease of exploitation but does not eliminate risk, especially in environments where privileged users might be targeted with social engineering or malicious files. The impact on confidentiality and integrity is limited but non-negligible, as disabling endpoint protection can facilitate further attacks. Availability is affected due to the DoS condition. Given the widespread use of these products in Europe, especially in Nordic countries where F-Secure has a strong market presence, the disruption potential is significant. However, the absence of known exploits and the medium severity rating suggest that immediate widespread attacks are unlikely but possible if attackers develop reliable exploit methods.

Organizations should prioritize applying any official patches or updates released by F-Secure and WithSecure addressing CVE-2022-28887 once available. In the absence of patches, administrators should monitor endpoint protection logs for unusual crashes or scanning engine restarts indicative of exploitation attempts. Restricting high-privilege user interactions with untrusted files can reduce the risk, as exploitation requires user interaction with malicious content. Network segmentation and strict access controls can limit exposure to crafted inputs from external sources. Additionally, implementing layered security controls such as endpoint detection and response (EDR) tools, network intrusion detection systems (NIDS), and robust email and web filtering can help detect and block malicious payloads attempting to trigger the vulnerability. Regular security awareness training for privileged users to recognize phishing or malicious files is also recommended. Finally, organizations should maintain incident response readiness to quickly restore endpoint protection services if a DoS condition occurs.