CVE-2022-35252: control code in cookie denial of service