CVE-2022-39377

HIGH

Sysstat < 12.6.1 - Remote Code Execution

Title source: rule

Description

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

References (7)

[Exploit, Third Party Advisory] https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/11/msg00014.html

[Third Party Advisory] https://security.gentoo.org/glsa/202211-07

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/10/msg00017.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7X6WKTODOUDV6M3HZMASYNZP6EM4N7W4/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHUVUDIVDJZ7AVXD3XX3NBXXXKPOKN3N/

Scores

CVSS v3 7.0

EPSS 0.0129

EPSS Percentile 79.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-131 CWE-120

Status published

Affected Products (5)

sysstat_project/sysstat < 12.6.1

debian/debian_linux

fedoraproject/fedora

fedoraproject/fedora

fedoraproject/fedora

Timeline

Published Nov 08, 2022

Tracked Since Feb 18, 2026