CVE-2022-39260— Git vulnerable to Remote Code Execution via Heap overflow in `git shell`
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-39260
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Git vulnerable to Remote Code Execution via Heap overflow in `git shell`
Source: NVD (National Vulnerability Database)
Vulnerability Description
Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨界内存写
Source: NVD (National Vulnerability Database)
Vulnerability Title
Git 缓冲区错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Git是一套免费、开源的分布式版本控制系统。 Git 存在安全漏洞,该漏洞源于Git错误地处理了某些符号链接。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2022-39260
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-39260
请登录查看更多情报信息。
- https://security.gentoo.org/glsa/202312-15vendor-advisory
- http://seclists.org/fulldisclosure/2022/Nov/1mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2022-39260
IV. Related Vulnerabilities
Same product: git
- CVE-2026-32631
Git for Windows: `git clone` from manipulated repositories c - CVE-2025-66413
Git for Windows leaks NTLM hash when cloning from an attacke - CVE-2025-48384
Git allows arbitrary code execution through broken config qu - CVE-2025-48385
Git alllows arbitrary file writes via bundle-uri parameter i - CVE-2025-48386
Git allows a buffer overflow in 'wincred' credential helper
Same vendor: git
- CVE-2025-48384
Git allows arbitrary code execution through broken config qu - CVE-2025-48385
Git alllows arbitrary file writes via bundle-uri parameter i - CVE-2025-48386
Git allows a buffer overflow in 'wincred' credential helper - CVE-2024-52005
The sideband payload is passed unfiltered to the terminal in - CVE-2024-50349
Git does not sanitize URLs when asking for credentials inter
V. Comments for CVE-2022-39260
No comments yet