Cyber Resilience

CVE-2022-24903

High

Published: 06 May 2022

Published
06 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 66.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24903 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Debian Debian Linux. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 33.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Rsyslog's TCP syslog reception modules, including imtcp, imptcp, imgssapi, and imhttp, contain a heap buffer overflow in octet-counted framing mode. The flaw occurs during parsing of the octet count, where digits are written to a heap buffer without adequate bounds enforcement even after exceeding the configured maximum, leading to memory overruns that can produce segfaults or other malfunctions. The issue is tracked under CWE-120 and CWE-1284 and carries a CVSS 3.1 score of 8.1.

An unauthenticated remote attacker able to reach an affected receiver can supply a specially crafted sequence of digit characters within an octet-counted frame to trigger the overflow. While the vulnerability description states that remote code execution is unlikely or highly complex because no further characters can be written once the digit sequence ends, the overflow can still be leveraged for denial-of-service or, under expert conditions, more severe outcomes. The modules are enabled by default for reception and octet-counted framing is one of the two supported framing modes.

Advisories and patches recommend disabling octet-counted framing on receivers when it is not required, applying the fix published in the referenced rsyslog commit, and ensuring that the affected modules are not directly exposed to untrusted networks. Downstream distributions such as Debian and Fedora have issued updated packages, and NetApp has published corresponding advisory guidance.

EPSS for the CVE rose from a low baseline to a peak of 0.1478 on 2025-01-22 before receding, indicating a period of increased exploitation interest well after initial disclosure.

EU & UK References

Vulnerability details

Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability…

more

can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rsyslog
rsyslog
≤ 8.2204.1
fedoraproject
fedora
35
debian
debian linux
10.0, 11.0, 9.0
netapp
active iq unified manager
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References