Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-3821

CVE-2022-3821: Systemd Off-by-One DoS Vulnerability

CVE-2022-3821 is an off-by-one error in Systemd's format_timespan() function that allows attackers to trigger a buffer overrun, causing denial of service. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2022-3821 Overview

An off-by-one error vulnerability was discovered in systemd's format_timespan() function within the time-util.c source file. This boundary condition error allows a local attacker to supply specially crafted values for time and accuracy parameters, triggering a buffer overrun that leads to a Denial of Service condition.

Critical Impact

Local attackers can crash systemd services by exploiting the off-by-one error in time formatting functions, potentially disrupting critical system services on affected Linux distributions.

Affected Products

  • systemd_project systemd
  • Red Hat Enterprise Linux 8.0 and 9.0
  • Fedora 35

Discovery Timeline

  • 2022-11-08 - CVE CVE-2022-3821 published to NVD
  • 2025-05-02 - Last updated in NVD database

Technical Details for CVE-2022-3821

Vulnerability Analysis

The vulnerability exists in the format_timespan() function located in src/basic/time-util.c. This function is responsible for formatting time duration values into human-readable strings. The off-by-one error occurs during buffer boundary calculations, where the function miscalculates the available buffer space by one byte.

When an attacker provides specific combinations of time and accuracy values, the function writes one byte beyond the allocated buffer boundary. This out-of-bounds write corrupts adjacent memory, which can cause the affected systemd component to crash or behave unexpectedly.

The impact is limited to availability (Denial of Service) rather than confidentiality or integrity breaches. The attack requires local access and low privileges, making it exploitable by authenticated users on the system.

Root Cause

The root cause is a classic off-by-one boundary condition error (CWE-193) in the buffer size calculation within the format_timespan() function. The original code used MIN((size_t) k, l) when calculating the number of bytes to copy, where l represents the remaining buffer space. This failed to account for the null terminator, allowing the function to write past the buffer boundary by one byte under specific input conditions.

Attack Vector

This vulnerability requires local access to the system. An attacker with low privileges can exploit this flaw by:

  1. Crafting specific time and accuracy parameter values that trigger the boundary miscalculation
  2. Passing these values to systemd functions that utilize format_timespan()
  3. Causing the buffer overrun, which leads to service crashes or unexpected behavior

The attack does not require user interaction and affects the availability of the system by causing systemd-related processes to crash.

c
// Security patch from systemd commit 9102c625a673a3246d7e73d8737f3494446bad4e
                        t = b;
                }

-                n = MIN((size_t) k, l);
+                n = MIN((size_t) k, l-1);

                l -= n;
                p += n;

Source: GitHub Systemd Commit

Detection Methods for CVE-2022-3821

Indicators of Compromise

  • Unexpected crashes of systemd-related services or daemons
  • Segmentation faults or memory corruption errors in system logs related to systemd components
  • Abnormal patterns of service restarts involving time-related systemd functionality

Detection Strategies

  • Monitor system logs for segmentation faults or crashes in systemd processes using journalctl -u systemd*
  • Implement process crash monitoring for critical systemd services
  • Use memory sanitizers (AddressSanitizer) in development/testing environments to detect buffer overflows

Monitoring Recommendations

  • Enable systemd service watchdogs and monitor for unexpected service restarts
  • Configure alerting for systemd service failures using tools like systemctl status monitoring
  • Review dmesg and syslog for kernel-level memory violation messages associated with systemd processes

How to Mitigate CVE-2022-3821

Immediate Actions Required

  • Update systemd to the latest patched version available for your distribution
  • Apply security patches from Red Hat, Fedora, Debian, or Gentoo depending on your Linux distribution
  • Restrict local access to untrusted users until patches are applied

Patch Information

The vulnerability has been fixed in systemd through commit 9102c625a673a3246d7e73d8737f3494446bad4e. The fix changes the buffer calculation from MIN((size_t) k, l) to MIN((size_t) k, l-1), ensuring the null terminator is properly accounted for and preventing the buffer overrun.

Distribution-specific patches are available:

Workarounds

  • Limit local user access to reduce the attack surface until patches can be applied
  • Monitor systemd services for crashes and implement automatic restart policies
  • Implement process isolation for untrusted workloads to minimize potential impact
bash
# Check current systemd version
systemctl --version

# Update systemd on Red Hat/CentOS/Fedora
sudo dnf update systemd

# Update systemd on Debian/Ubuntu
sudo apt update && sudo apt upgrade systemd

# Verify patch application by checking version
rpm -q systemd  # For RHEL/Fedora
dpkg -l systemd # For Debian/Ubuntu

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne