CVE-2022-3821 Overview
An off-by-one error vulnerability was discovered in systemd's format_timespan() function within the time-util.c source file. This boundary condition error allows a local attacker to supply specially crafted values for time and accuracy parameters, triggering a buffer overrun that leads to a Denial of Service condition.
Critical Impact
Local attackers can crash systemd services by exploiting the off-by-one error in time formatting functions, potentially disrupting critical system services on affected Linux distributions.
Affected Products
- systemd_project systemd
- Red Hat Enterprise Linux 8.0 and 9.0
- Fedora 35
Discovery Timeline
- 2022-11-08 - CVE CVE-2022-3821 published to NVD
- 2025-05-02 - Last updated in NVD database
Technical Details for CVE-2022-3821
Vulnerability Analysis
The vulnerability exists in the format_timespan() function located in src/basic/time-util.c. This function is responsible for formatting time duration values into human-readable strings. The off-by-one error occurs during buffer boundary calculations, where the function miscalculates the available buffer space by one byte.
When an attacker provides specific combinations of time and accuracy values, the function writes one byte beyond the allocated buffer boundary. This out-of-bounds write corrupts adjacent memory, which can cause the affected systemd component to crash or behave unexpectedly.
The impact is limited to availability (Denial of Service) rather than confidentiality or integrity breaches. The attack requires local access and low privileges, making it exploitable by authenticated users on the system.
Root Cause
The root cause is a classic off-by-one boundary condition error (CWE-193) in the buffer size calculation within the format_timespan() function. The original code used MIN((size_t) k, l) when calculating the number of bytes to copy, where l represents the remaining buffer space. This failed to account for the null terminator, allowing the function to write past the buffer boundary by one byte under specific input conditions.
Attack Vector
This vulnerability requires local access to the system. An attacker with low privileges can exploit this flaw by:
- Crafting specific time and accuracy parameter values that trigger the boundary miscalculation
- Passing these values to systemd functions that utilize format_timespan()
- Causing the buffer overrun, which leads to service crashes or unexpected behavior
The attack does not require user interaction and affects the availability of the system by causing systemd-related processes to crash.
// Security patch from systemd commit 9102c625a673a3246d7e73d8737f3494446bad4e
t = b;
}
- n = MIN((size_t) k, l);
+ n = MIN((size_t) k, l-1);
l -= n;
p += n;
Source: GitHub Systemd Commit
Detection Methods for CVE-2022-3821
Indicators of Compromise
- Unexpected crashes of systemd-related services or daemons
- Segmentation faults or memory corruption errors in system logs related to systemd components
- Abnormal patterns of service restarts involving time-related systemd functionality
Detection Strategies
- Monitor system logs for segmentation faults or crashes in systemd processes using journalctl -u systemd*
- Implement process crash monitoring for critical systemd services
- Use memory sanitizers (AddressSanitizer) in development/testing environments to detect buffer overflows
Monitoring Recommendations
- Enable systemd service watchdogs and monitor for unexpected service restarts
- Configure alerting for systemd service failures using tools like systemctl status monitoring
- Review dmesg and syslog for kernel-level memory violation messages associated with systemd processes
How to Mitigate CVE-2022-3821
Immediate Actions Required
- Update systemd to the latest patched version available for your distribution
- Apply security patches from Red Hat, Fedora, Debian, or Gentoo depending on your Linux distribution
- Restrict local access to untrusted users until patches are applied
Patch Information
The vulnerability has been fixed in systemd through commit 9102c625a673a3246d7e73d8737f3494446bad4e. The fix changes the buffer calculation from MIN((size_t) k, l) to MIN((size_t) k, l-1), ensuring the null terminator is properly accounted for and preventing the buffer overrun.
Distribution-specific patches are available:
- Red Hat: See Red Hat Bug Report 2139327
- Fedora: Available via Fedora Package Announcement
- Debian: See Debian LTS Announcement
- Gentoo: Addressed in GLSA 202305-15
Workarounds
- Limit local user access to reduce the attack surface until patches can be applied
- Monitor systemd services for crashes and implement automatic restart policies
- Implement process isolation for untrusted workloads to minimize potential impact
# Check current systemd version
systemctl --version
# Update systemd on Red Hat/CentOS/Fedora
sudo dnf update systemd
# Update systemd on Debian/Ubuntu
sudo apt update && sudo apt upgrade systemd
# Verify patch application by checking version
rpm -q systemd # For RHEL/Fedora
dpkg -l systemd # For Debian/Ubuntu
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
