CVE-2022-39377 — HIGH (7.0)

Q: How severe is CVE-2022-39377?

CVE-2022-39377 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-39377?

Check the references section above for vendor advisories and patch information. Affected products include: Sysstat Project Sysstat, Debian Debian Linux, Fedoraproject Fedora.

Vulnerability Description

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

CVSS Score

7.0

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Sysstat Project	Sysstat	>= 9.1.6, < 12.6.1
Debian	Debian Linux	10.0
Fedoraproject	Fedora	35

Related Weaknesses (CWE)

CWE-120 CWE-131

References

https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7xExploitThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00014.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202211-07Third Party Advisory
https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7xExploitThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00014.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202211-07Third Party Advisory

FAQ

What is CVE-2022-39377?

CVE-2022-39377 is a vulnerability with a CVSS score of 7.0 (HIGH). sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_c...

How severe is CVE-2022-39377?

CVE-2022-39377 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-39377?

Check the references section above for vendor advisories and patch information. Affected products include: Sysstat Project Sysstat, Debian Debian Linux, Fedoraproject Fedora.