CVE-2022-23521

CVE-2022-23521 is a critical-severity vulnerability in Git-scm Git with a CVSS 3.x base score of 9.8. Its EPSS exploit-prediction score of 56% places it in the 99th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-190.

Key facts

Description

Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.

Frequently asked questions

What is CVE-2022-23521?
Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.
How severe is CVE-2022-23521?
CVE-2022-23521 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-23521 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 56% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2022-23521?
CVE-2022-23521 primarily affects Git-scm Git. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-23521?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
When was CVE-2022-23521 published?
CVE-2022-23521 was published on 2023-01-17 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Git-scm Git

All CVEs affecting Git-scm Git →

Other CWE-190 (Integer Overflow or Wraparound) vulnerabilities

Browse all CWE-190 (Integer Overflow or Wraparound) vulnerabilities →