CVE-2022-41903 Overview
CVE-2022-41903 is a critical integer overflow vulnerability in Git, the widely-used distributed revision control system. The vulnerability exists in the pretty.c::format_and_pad_commit() function, which processes padding operators in Git's --format specifiers. When handling these operators, a size_t value is improperly stored as an int, creating an integer overflow condition that can be exploited to perform arbitrary heap writes and potentially achieve arbitrary code execution.
This vulnerability can be triggered directly through Git commands that invoke the commit formatting machinery (such as git log --format=...) or indirectly through git archive via the export-subst mechanism, which expands format specifiers inside files within a repository during archive operations.
Critical Impact
Integer overflow in Git's commit formatting mechanism enables arbitrary heap writes that may result in arbitrary code execution, affecting all users running vulnerable Git versions either directly or through git archive operations.
Affected Products
- Git versions prior to 2.30.7
- Git versions 2.31.x prior to 2.31.6
- Git version 2.39.0
Discovery Timeline
- 2023-01-17 - CVE-2022-41903 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-41903
Vulnerability Analysis
The vulnerability resides in the commit formatting functionality of Git, specifically within the pretty.c::format_and_pad_commit() function. Git's git log command supports arbitrary formatting through --format specifiers, which includes various padding operators such as %<(, %<|(, %>(, %>>(, and %><(. This same functionality is exposed to git archive through the export-subst gitattribute feature.
The core issue stems from improper type handling where a size_t value (typically 64-bit on modern systems) is incorrectly stored as an int (typically 32-bit). When this truncated value is subsequently used as an offset in a memcpy() operation, the integer overflow can cause writes to unintended heap locations. This memory corruption primitive provides attackers with a powerful exploitation vector that can lead to arbitrary code execution.
The attack surface is significant because the vulnerability can be triggered through multiple vectors—both direct user interaction with Git commands and indirect exploitation through repository content processed by git archive.
Root Cause
The root cause is an integer overflow vulnerability (CWE-190) in the padding operator processing logic. The format_and_pad_commit() function in pretty.c incorrectly stores a size_t value in an int variable. This type mismatch causes truncation when the value exceeds the maximum positive integer range, and the resulting corrupted offset is then passed to memcpy(), enabling heap memory corruption.
Attack Vector
The vulnerability is exploitable over the network with low attack complexity and requires no privileges or user interaction. An attacker can craft malicious format specifiers that trigger the integer overflow when processed by:
- Direct exploitation: Running git log --format=... with specially crafted padding operators
- Indirect exploitation: Creating a repository with export-subst gitattributes containing malicious format specifiers, which are expanded when a victim runs git archive
The indirect attack vector is particularly dangerous in scenarios where git archive is exposed via git daemon, as remote attackers could potentially trigger the vulnerability by having victims archive a malicious repository.
+Git v2.30.7 Release Notes
+=========================
+
+This release addresses the security issues CVE-2022-41903 and
+CVE-2022-23521.
+
+
+Fixes since v2.30.6
+-------------------
+
+ * CVE-2022-41903:
+
+ git log has the ability to display commits using an arbitrary
+ format with its --format specifiers. This functionality is also
+ exposed to git archive via the export-subst gitattribute.
+
+ When processing the padding operators (e.g., %<(, %<|(, %>(,
+ %>>(, or %><( ), an integer overflow can occur in
+ pretty.c::format_and_pad_commit() where a size_t is improperly
+ stored as an int, and then added as an offset to a subsequent
+ memcpy() call.
+
+ This overflow can be triggered directly by a user running a
+ command which invokes the commit formatting machinery (e.g., git
+ log --format=...). It may also be triggered indirectly through
+ git archive via the export-subst mechanism, which expands format
+ specifiers inside of files within the repository during a git
+ archive.
+
+ This integer overflow can result in arbitrary heap writes, which
Source: Git Commit 508386c
Detection Methods for CVE-2022-41903
Indicators of Compromise
- Unusual git log commands with complex or excessively long --format specifiers containing padding operators (%<(, %<|(, %>(, %>>(, %><()
- Unexpected git archive operations on untrusted or recently cloned repositories
- Git process crashes or abnormal terminations during log or archive operations
- Repository .gitattributes files containing export-subst with suspicious format specifiers
Detection Strategies
- Monitor for Git process execution with --format arguments containing multiple padding operators or unusually large padding values
- Implement file integrity monitoring on Git binaries and configuration files to detect tampering
- Deploy endpoint detection to identify heap corruption or memory access violations in Git processes
- Audit .gitattributes files in repositories for export-subst entries with complex format specifiers
Monitoring Recommendations
- Enable verbose logging for Git daemon services and monitor for git archive requests from untrusted sources
- Track Git version deployments across systems to identify vulnerable installations
- Monitor for unexpected child process spawning from Git operations that may indicate successful code execution
- Implement network monitoring for suspicious archive requests to Git daemon endpoints
How to Mitigate CVE-2022-41903
Immediate Actions Required
- Upgrade Git to version 2.30.7 or later immediately on all systems
- Disable git archive functionality in untrusted repositories until patching is complete
- If running git daemon with archive support, disable it by running git config --global daemon.uploadArch false
- Audit repositories for suspicious .gitattributes files containing export-subst directives
Patch Information
Security patches were released on 2023-01-17 across multiple Git version branches. Users should upgrade to version 2.30.7 or the patched version corresponding to their major release branch (e.g., 2.31.6 for the 2.31.x series). The fix addresses the integer overflow by properly handling the size_t to prevent truncation issues during padding operator processing. For detailed patch information, see the Git Security Advisory GHSA-475x-2q3q-hvwq and the Git Commit Details.
Workarounds
- Disable git archive in untrusted repositories by avoiding the use of export-subst gitattribute
- If exposing git archive via git daemon, disable archive functionality using the configuration command below
- Restrict access to Git daemon services from untrusted networks
- Review and sanitize .gitattributes files before processing repositories from external sources
# Disable git archive via git daemon to mitigate indirect exploitation
git config --global daemon.uploadArch false
# Verify the setting is applied
git config --global --get daemon.uploadArch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
