Off-by-One Error in Systemd Affects Time Formatting Function
CVE-2022-3821

5.5MEDIUM

Key Information:

Vendor: Systemd Project
Status: Systemd
Vendor: CVE Published:; 8 November 2022

🔔 Create Systemd Project Vulnerability Alert

What is CVE-2022-3821?

A vulnerability has been identified in Systemd's time-util.c, specifically in the format_timespan() function, where an off-by-one error can be exploited. Attackers can provide crafted values for time and accuracy, potentially leading to a buffer overrun. This issue raises concerns about stability, as it can result in a Denial of Service, impacting system availability and performance.

Affected Version(s)

systemd Fixed in systemd v252-rc1

References

https://bugzilla.redhat.com/show_bug.cgi?id=2139327

https://github.com/systemd/systemd/issues/23928

https://github.com/systemd/systemd/pull/23933

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 8, 2022
Vulnerability Reserved
Nov 2, 2022

CVE-2022-3821 Data

JSON