CVE-2022-39260

Git vulnerable to Remote Code Execution via Heap overflow in `git shell`

Description

Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.

Categories

8.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 1.05% Top 25%
Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory gentoo.org
Affected: git git
Published at:
Updated at:

References

Link Tags
https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6 mitigation third party advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/ vendor advisory
https://support.apple.com/kb/HT213496 third party advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/ vendor advisory
http://seclists.org/fulldisclosure/2022/Nov/1 third party advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/ vendor advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html third party advisory mailing list
https://security.gentoo.org/glsa/202312-15 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-39260?
CVE-2022-39260 has been scored as a high severity vulnerability.
How to fix CVE-2022-39260?
To fix CVE-2022-39260, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-39260 being actively exploited in the wild?
It is possible that CVE-2022-39260 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-39260?
CVE-2022-39260 affects git git.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.