CVE-2022-39377
HIGHsysstat 9.1.16-12.7.0 - Remote Code Execution via Buffer Size Overflow in sa_common.c
Title source: llmDescription
sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.
References (7)
Core 7
Core References
Exploit, Third Party Advisory
https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/11/msg00014.html
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHUVUDIVDJZ7AVXD3XX3NBXXXKPOKN3N/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7X6WKTODOUDV6M3HZMASYNZP6EM4N7W4/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202211-07
Scores
CVSS v3
7.0
EPSS
0.0110
EPSS Percentile
61.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-131
CWE-120
Status
published
Products (5)
debian/debian_linux
10.0
fedoraproject/fedora
35
fedoraproject/fedora
36
fedoraproject/fedora
37
sysstat_project/sysstat
9.1.6 - 12.6.1
Published
Nov 08, 2022
Tracked Since
Feb 18, 2026