CVE-2022-36227

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions libarchive versions prior to 3.6.2

Description The issue is related to the calloc() function in the libarchive library, which can lead to a NULL pointer dereference if an error occurs after the function is called. This may allow a remote attacker to execute arbitrary code or cause a denial of service. In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, writing or reading memory is possible, which may lead to code execution.

Recommendations For libarchive versions prior to 3.6.2, update to version 3.6.2 or later to resolve the issue. As a temporary workaround, consider adding error checking after calling the calloc() function to prevent NULL pointer dereferences.

Exploit

Fix

DoS

Unchecked Return Value

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-252CWE-476

Related Identifiers

ALSA-2023:2532

ALSA-2023:3018

ALT-PU-2022-3275

ALT-PU-2022-3325

ALT-PU-2022-3332

ALT-PU-2024-13156

AZL-11470

BDU:2022-07496

CESA-2023_3018

CVE-2022-36227

DLA-3294-1

DLA-3950-1

INFSA-2023_2532

MGASA-2022-0453

OESA-2022-2123

OESA-2022-2124

OESA-2022-2126

OPENSUSE-SU-2022_4202-1

OPENSUSE-SU-2022_4209-1

OPENSUSE-SU-2024:12588-1

RHSA-2023:2532

RHSA-2023:3018

RHSA-2023_2532

RHSA-2023_3018

RHSA-2024:0146

SUSE-SU-2022:4202-1

SUSE-SU-2022:4209-1

SUSE-SU-2022:4296-1

SUSE-SU-2022_4202-1

SUSE-SU-2022_4209-1

SUSE-SU-2022_4296-1

USN-7070-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Libarchive

CVE-2022-36227

Weakness Enumeration

Related Identifiers

Affected Products

References · 75