CVE-2022-39377 HIGH

CVE-2022-39377: sysstat Incorrect Buffer Size calculation on 32-bit systems results in RCE via buffer overflow

Vendor Sysstat
Product sysstat
Weakness CWE-131
Published November 8, 2022
Last update November 3, 2025

CVSS base score

7.0/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

Key dates

02Disclosure timeline

November 8, 2022 CVE published
November 3, 2025 Record updated