CVE-2022-36227 Overview
CVE-2022-36227 affects libarchive versions before 3.6.2. The library fails to check the return value of a calloc call in archive_write.c. When calloc returns NULL under memory pressure, the subsequent dereference produces a NULL pointer dereference [CWE-476]. The flaw is classified by NVD as a network-exploitable issue with high impact on confidentiality, integrity, and availability, though third parties dispute the code-execution claim. The vulnerability affects downstream products bundling libarchive, including Debian Linux, Fedora, and Splunk Universal Forwarder.
Critical Impact
An unchecked calloc failure in libarchive results in a NULL pointer dereference. The discoverer references a theoretical code-execution scenario, while NVD scoring reflects worst-case impact across confidentiality, integrity, and availability.
Affected Products
- libarchive libarchive versions prior to 3.6.2
- Debian Linux 10.0
- Fedora 37
- Splunk Universal Forwarder (including 9.1.0)
Discovery Timeline
- 2022-11-22 - CVE-2022-36227 published to NVD
- 2023-01 - Debian LTS advisory released
- 2023-09 - Gentoo GLSA 202309-14 published
- 2024-11 - Debian LTS follow-up advisory released
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2022-36227
Vulnerability Analysis
The issue resides in libarchive/archive_write.c. The function allocates memory via calloc but does not validate the returned pointer before use. When the allocation fails, calloc returns NULL, and the calling code proceeds to dereference that pointer.
On modern operating systems with non-zero page mappings enforced, dereferencing NULL triggers a segmentation fault and terminates the process. This produces a denial-of-service condition in any application linking libarchive and processing attacker-supplied archives.
The discoverer notes a rare scenario where, if privileged code can map the zero page, the NULL dereference could be steered toward arbitrary memory access. NVD reflects this worst-case assumption in its scoring. Third parties dispute the practical exploitability for code execution on hardened platforms.
Root Cause
The root cause is a missing return-value check after calloc invocation, a textbook instance of [CWE-476] NULL Pointer Dereference. The defensive pattern of validating allocator return values before dereference was not applied at this call site in archive_write.c.
Attack Vector
An attacker delivers a crafted archive to an application that uses libarchive for extraction or inspection. By inducing the allocation failure path during archive processing, the attacker triggers the NULL dereference. The attack vector is network-reachable because archives are commonly transmitted over the network and processed automatically by package managers, backup tools, and log forwarders such as Splunk Universal Forwarder.
No verified public proof-of-concept code is available for this issue. Refer to the libarchive GitHub Issue #1754 and the GitHub source code reference for technical details.
Detection Methods for CVE-2022-36227
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes that link libarchive, particularly during archive read or write operations.
- Repeated abnormal terminations of bsdtar, package managers, or Splunk Universal Forwarder when handling externally sourced archives.
- Core dumps referencing archive_write.c or NULL address access within libarchive symbols.
Detection Strategies
- Inventory all systems and applications that statically or dynamically link libarchive versions below 3.6.2.
- Use software composition analysis (SCA) tooling to flag vulnerable libarchive builds embedded in third-party software such as Splunk Universal Forwarder.
- Monitor system logs and crash reporters for repeated faults originating from archive processing code paths.
Monitoring Recommendations
- Forward kernel and application crash telemetry to a centralized SIEM for correlation across hosts.
- Alert on archive-handling processes that crash shortly after receiving network-delivered files.
- Track patch state of libarchive across Linux distributions using vulnerability management tooling.
How to Mitigate CVE-2022-36227
Immediate Actions Required
- Upgrade libarchive to version 3.6.2 or later on all affected hosts.
- Apply distribution updates from Debian, Fedora, and Gentoo as referenced in the Debian LTS Advisory January 2023, Fedora Package Announcement, and Gentoo GLSA 202309-14.
- Update Splunk Universal Forwarder to a release that bundles the fixed libarchive library.
- Audit internal applications statically linking libarchive and rebuild against the patched version.
Patch Information
The fix is included in libarchive 3.6.2. Distribution backports are available via the Debian LTS Advisory November 2024 and the earlier January 2023 advisory. Refer to the libarchive GitHub Issue #1754 for the upstream resolution.
Workarounds
- Restrict archive inputs to trusted sources until upgrades are deployed.
- Run archive-processing services under isolation, such as containers or seccomp profiles, to limit the blast radius of a crash.
- Enable automatic process supervision so that crashed extraction workers do not disrupt dependent services.
# Verify installed libarchive version on Debian/Ubuntu
dpkg -l | grep libarchive
# Verify installed libarchive version on Fedora/RHEL
rpm -q libarchive
# Upgrade on Debian/Ubuntu
sudo apt-get update && sudo apt-get install --only-upgrade libarchive13
# Upgrade on Fedora
sudo dnf upgrade libarchive
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
