CVE-2022-41903

Integer overflow in `git archive`, `git log --format` leading to RCE in git

Description

Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.

Category

9.8
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 17.33% Top 10%
Vendor Advisory git-scm.com Vendor Advisory git-scm.com
Affected: git git
Published at:
Updated at:

References

Link Tags
https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq third party advisory
https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76 patch third party advisory release notes
https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst vendor advisory
https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem vendor advisory
https://security.gentoo.org/glsa/202312-15

Frequently Asked Questions

What is the severity of CVE-2022-41903?
CVE-2022-41903 has been scored as a critical severity vulnerability.
How to fix CVE-2022-41903?
To fix CVE-2022-41903, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-41903 being actively exploited in the wild?
It is possible that CVE-2022-41903 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~17% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-41903?
CVE-2022-41903 affects git git.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.