CVE-2022-36025 is a vulnerability identified in Hyperledger Besu, a Java-based Ethereum client widely used for enterprise blockchain implementations. The issue arises from an incorrect conversion between numeric types during the calculation of available gas in Ethereum Virtual Machine (EVM) CALL operations, including DELEGATECALL. Specifically, the error involves the handling of 32-bit signed and unsigned integers, which leads to incorrect gas values being passed to called contracts and incorrect gas amounts being returned after execution. This miscalculation can cause the execution to deviate from expected behavior in two significant ways. First, in blockchain networks that utilize multiple EVM implementations, the discrepancy in gas calculations can result in different state roots across nodes, causing consensus failures and potentially destabilizing the network. Second, in networks with a single EVM implementation, the flaw can be exploited to execute transactions with significantly more gas than originally requested, potentially bypassing gas limits and leading to resource exhaustion or denial of service. The vulnerability affects Besu versions newer than 22.1.3 and prior to 22.7.1 and was patched in version 22.7.1. As a temporary mitigation, reverting to version 22.1.3 or earlier prevents the incorrect gas calculation. No known exploits have been reported in the wild to date. The root cause is linked to CWE-681 (Incorrect Conversion between Numeric Types) and CWE-196 (Unsigned to Signed Conversion Error), highlighting a fundamental programming error in type handling within the gas calculation logic.

For European organizations utilizing Hyperledger Besu in their blockchain infrastructure, this vulnerability poses several risks. The most critical impact is the potential for consensus failures in permissioned or consortium blockchain networks that rely on multiple EVM implementations, which are common in enterprise and cross-organizational settings. Such failures can disrupt transaction finality, reduce trust in the blockchain ledger, and cause operational downtime. Additionally, the ability to execute transactions with more gas than intended could lead to denial-of-service conditions by exhausting node resources, impacting availability and performance. This is particularly concerning for financial institutions, supply chain consortia, and public sector entities in Europe that depend on blockchain for critical operations. While no active exploitation has been observed, the vulnerability undermines the integrity and reliability of blockchain transactions, potentially affecting confidentiality indirectly if transaction processing is disrupted or manipulated. Given the increasing adoption of blockchain technologies in Europe, especially in countries with strong fintech and industrial blockchain initiatives, the threat could have broad operational and reputational consequences.

European organizations should take immediate steps to mitigate this vulnerability beyond generic patching advice. First, upgrade all Hyperledger Besu nodes to version 22.7.1 or later, where the issue is resolved. If immediate upgrading is not feasible, revert to version 22.1.3 or earlier as a temporary measure to prevent incorrect gas calculations. Conduct thorough audits of blockchain network configurations to identify if multiple EVM implementations are in use, as these environments are at higher risk of consensus failures. Implement monitoring tools to detect anomalies in gas usage and transaction execution times that could indicate exploitation attempts or consensus issues. Additionally, review smart contract logic for dependencies on precise gas calculations and consider adding safeguards or fallback mechanisms to handle unexpected gas values. For consortium networks, coordinate with all participants to ensure synchronized upgrades and consistent client versions to avoid network partitioning. Finally, incorporate this vulnerability into incident response and risk management frameworks, emphasizing blockchain-specific threat scenarios.