{"api_version":"1","generated_at":"2026-05-10T15:33:50+00:00","cve":"CVE-2022-39377","urls":{"html":"https://cve.report/CVE-2022-39377","api":"https://cve.report/api/cve/CVE-2022-39377.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-39377","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-39377"},"summary":{"title":"CVE-2022-39377","description":"sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-11-08 20:15:00","updated_at":"2023-11-07 03:50:00"},"problem_types":["CWE-120","CWE-131"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00014.html","name":"[debian-lts-announce] 20221113 [SECURITY] [DLA 3188-1] sysstat security update","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 3188-1] sysstat security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHUVUDIVDJZ7AVXD3XX3NBXXXKPOKN3N/","name":"FEDORA-2022-dbe48a4bc7","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: sysstat-12.5.6-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7X6WKTODOUDV6M3HZMASYNZP6EM4N7W4/","name":"FEDORA-2022-5adda2d05f","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: sysstat-12.5.6-2.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PHUVUDIVDJZ7AVXD3XX3NBXXXKPOKN3N/","name":"FEDORA-2022-dbe48a4bc7","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: sysstat-12.5.6-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x","name":"https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x","refsource":"CONFIRM","tags":[],"title":"sysstat overflow on 32-bit systems · Advisory · sysstat/sysstat · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202211-07","name":"GLSA-202211-07","refsource":"GENTOO","tags":[],"title":"sysstat: Arbitrary Code Execution (GLSA 202211-07) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/","name":"FEDORA-2022-9f3af921a5","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: sysstat-12.6.0-4.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7X6WKTODOUDV6M3HZMASYNZP6EM4N7W4/","name":"FEDORA-2022-5adda2d05f","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: sysstat-12.5.6-2.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/","name":"FEDORA-2022-9f3af921a5","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: sysstat-12.6.0-4.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-39377","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39377","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"39377","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39377","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39377","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39377","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39377","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sysstat_project","cpe5":"sysstat","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-39377","qid":"160627","title":"Oracle Enterprise Linux Security Update for sysstat (ELSA-2023-2234)"},{"cve":"CVE-2022-39377","qid":"160670","title":"Oracle Enterprise Linux Security Update for sysstat (ELSA-2023-2800)"},{"cve":"CVE-2022-39377","qid":"181211","title":"Debian Security Update for sysstat (DLA 3188-1)"},{"cve":"CVE-2022-39377","qid":"181805","title":"Debian Security Update for sysstat (DLA 3434-1)"},{"cve":"CVE-2022-39377","qid":"184228","title":"Debian Security Update for sysstat (CVE-2022-39377)"},{"cve":"CVE-2022-39377","qid":"199052","title":"Ubuntu Security Notification for Sysstat Vulnerability (USN-5748-1)"},{"cve":"CVE-2022-39377","qid":"199402","title":"Ubuntu Security Notification for Sysstat Vulnerabilities (USN-6145-1)"},{"cve":"CVE-2022-39377","qid":"241432","title":"Red Hat Update for sysstat (RHSA-2023:2234)"},{"cve":"CVE-2022-39377","qid":"241475","title":"Red Hat Update for sysstat (RHSA-2023:2800)"},{"cve":"CVE-2022-39377","qid":"283322","title":"Fedora Security Update for sysstat (FEDORA-2022-dbe48a4bc7)"},{"cve":"CVE-2022-39377","qid":"283323","title":"Fedora Security Update for sysstat (FEDORA-2022-5adda2d05f)"},{"cve":"CVE-2022-39377","qid":"283429","title":"Fedora Security Update for sysstat (FEDORA-2022-9f3af921a5)"},{"cve":"CVE-2022-39377","qid":"354394","title":"Amazon Linux Security Advisory for sysstat : ALAS2022-2022-255"},{"cve":"CVE-2022-39377","qid":"354568","title":"Amazon Linux Security Advisory for sysstat : ALAS-2022-255"},{"cve":"CVE-2022-39377","qid":"354726","title":"Amazon Linux Security Advisory for sysstat : ALAS2-2023-1925"},{"cve":"CVE-2022-39377","qid":"355169","title":"Amazon Linux Security Advisory for sysstat : ALAS2023-2023-094"},{"cve":"CVE-2022-39377","qid":"378644","title":"Alibaba Cloud Linux Security Update for sysstat (ALINUX3-SA-2023:0070)"},{"cve":"CVE-2022-39377","qid":"672525","title":"EulerOS Security Update for sysstat (EulerOS-SA-2023-1138)"},{"cve":"CVE-2022-39377","qid":"672554","title":"EulerOS Security Update for sysstat (EulerOS-SA-2023-1114)"},{"cve":"CVE-2022-39377","qid":"672603","title":"EulerOS Security Update for sysstat (EulerOS-SA-2023-1338)"},{"cve":"CVE-2022-39377","qid":"672625","title":"EulerOS Security Update for sysstat (EulerOS-SA-2023-1373)"},{"cve":"CVE-2022-39377","qid":"672640","title":"EulerOS Security Update for sysstat (EulerOS-SA-2023-1401)"},{"cve":"CVE-2022-39377","qid":"672697","title":"EulerOS Security Update for sysstat (EulerOS-SA-2023-1418)"},{"cve":"CVE-2022-39377","qid":"672698","title":"EulerOS Security Update for sysstat (EulerOS-SA-2023-1433)"},{"cve":"CVE-2022-39377","qid":"673289","title":"EulerOS Security Update for sysstat (EulerOS-SA-2023-2629)"},{"cve":"CVE-2022-39377","qid":"673301","title":"EulerOS Security Update for sysstat (EulerOS-SA-2023-2599)"},{"cve":"CVE-2022-39377","qid":"710685","title":"Gentoo Linux sysstat Arbitrary Code Execution Vulnerability (GLSA 202211-07)"},{"cve":"CVE-2022-39377","qid":"904508","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for sysstat (11450)"},{"cve":"CVE-2022-39377","qid":"904638","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for sysstat (11450-1)"},{"cve":"CVE-2022-39377","qid":"904793","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for sysstat (12130)"},{"cve":"CVE-2022-39377","qid":"904800","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for sysstat (12130-1)"},{"cve":"CVE-2022-39377","qid":"905909","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for sysstat (12130-2)"},{"cve":"CVE-2022-39377","qid":"941040","title":"AlmaLinux Security Update for sysstat (ALSA-2023:2234)"},{"cve":"CVE-2022-39377","qid":"941107","title":"AlmaLinux Security Update for sysstat (ALSA-2023:2800)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-39377","STATE":"PUBLIC","TITLE":"sysstat Incorrect Buffer Size calculation on 32-bit systems results in RCE via buffer overflow"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"sysstat","version":{"version_data":[{"version_value":">= 9.1.16, < 12.7.1"}]}}]},"vendor_name":"sysstat"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1."}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-131: Incorrect Calculation of Buffer Size"}]},{"description":[{"lang":"eng","value":"CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}]},"references":{"reference_data":[{"name":"https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x","refsource":"CONFIRM","url":"https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221113 [SECURITY] [DLA 3188-1] sysstat security update","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00014.html"},{"refsource":"FEDORA","name":"FEDORA-2022-dbe48a4bc7","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PHUVUDIVDJZ7AVXD3XX3NBXXXKPOKN3N/"},{"refsource":"FEDORA","name":"FEDORA-2022-5adda2d05f","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7X6WKTODOUDV6M3HZMASYNZP6EM4N7W4/"},{"refsource":"FEDORA","name":"FEDORA-2022-9f3af921a5","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/"},{"refsource":"GENTOO","name":"GLSA-202211-07","url":"https://security.gentoo.org/glsa/202211-07"}]},"source":{"advisory":"GHSA-q8r6-g56f-9w7x","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-11-08 20:15:00","lastModifiedDate":"2023-11-07 03:50:00","problem_types":["CWE-120","CWE-131"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:sysstat_project:sysstat:*:*:*:*:*:*:*:*","versionStartIncluding":"9.1.6","versionEndExcluding":"12.6.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}