CVE-2022-39377

HIGH

Sysstat < 12.6.1 - Remote Code Execution

Title source: rule

Description

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

References (7)

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/10/msg00017.html

[Exploit, Third Party Advisory] https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/11/msg00014.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHUVUDIVDJZ7AVXD3XX3NBXXXKPOKN3N/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7X6WKTODOUDV6M3HZMASYNZP6EM4N7W4/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/

[Third Party Advisory] https://security.gentoo.org/glsa/202211-07

Scores

CVSS v3 7.0

EPSS 0.0119

EPSS Percentile 78.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-131 CWE-120

Status published

Products (5)

debian/debian_linux 10.0

fedoraproject/fedora 35

fedoraproject/fedora 36

fedoraproject/fedora 37

sysstat_project/sysstat 9.1.6 - 12.6.1

Published Nov 08, 2022

Tracked Since Feb 18, 2026