CVE-2022-34038
Description
Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in pagewriter.go. NOTE: the vendor's position is that this is not a vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Etcd v3.5.4 allows remote denial of service via the PageWriter.write function when pageBytes is zero, though the vendor disputes this as a vulnerability.
Vulnerability
Overview
CVE-2022-34038 describes a denial of service (DoS) vulnerability in etcd v3.5.4, specifically in the PageWriter.write function within pagewriter.go. The issue arises when the pageBytes parameter is set to zero, causing a panic or unexpected behavior that can be triggered remotely by an attacker [1][2][4]. This can lead to a crash of the etcd server, disrupting the availability of the key-value store for distributed systems like Kubernetes.
Exploitation and
Impact
An attacker can exploit this flaw without authentication by sending specially crafted requests that result in a zero value for pageBytes passed to the PageWriter. This triggers a panic (in older versions) or other unstable state, effectively causing a denial of service [3][4]. Since etcd is often used as a critical component for cluster coordination and data storage, a crash can cascade to dependent services, making the attack impactful even though it does not lead to data corruption or unauthorized access.
Mitigation
Status
The vendor maintains that this is not a vulnerability, arguing that the panic is a safety mechanism rather than a flaw [3]. However, upstream maintainers merged pull requests addressing the issue—adding verification to ensure pageBytes is greater than zero in newer versions [1][4]. Users are advised to update to etcd versions containing these fixes, such as those from pull #14022 and #14452, which prevent the panic by handling the zero-case gracefully [1][4].
If an immediate upgrade is not feasible, implementing input validation on any user-controlled parameters that influence pageBytes can serve as a partial workaround. The CVE has not been added to the Known Exploited Vulnerabilities catalog as of this writing.
- add a verification on the pagebytes which must be > 0 by ahrtr · Pull Request #14452 · etcd-io/etcd
- GitHub - etcd-io/etcd: Distributed reliable key-value store for the most critical data of a distributed system
- NVD - CVE-2022-34038
- fix(pkg/ioutil):avoid panic in PageWriter.Write() when pageBytes is 0 by secsys-go · Pull Request #14022 · etcd-io/etcd
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
go.etcd.io/etcd/v3Go | < 3.5.5 | 3.5.5 |
Affected products
3- Etcd/Etcddescription
- osv-coords2 versions
>= 3.5.4, < 3.5.5+ 1 more
- (no CPE)range: >= 3.5.4, < 3.5.5
- (no CPE)range: < 3.5.5
Patches
15a315ef88fbfadd a verification on the pagebytes which must be > 0
2 files changed · +44 −0
pkg/ioutil/pagewriter.go+3 −0 modified@@ -16,6 +16,8 @@ package ioutil import ( "io" + + "go.etcd.io/etcd/client/pkg/v3/verify" ) var defaultBufferBytes = 128 * 1024 @@ -41,6 +43,7 @@ type PageWriter struct { // NewPageWriter creates a new PageWriter. pageBytes is the number of bytes // to write per page. pageOffset is the starting offset of io.Writer. func NewPageWriter(w io.Writer, pageBytes, pageOffset int) *PageWriter { + verify.Assert(pageBytes > 0, "invalid pageBytes (%d) value, it must be greater than 0", pageBytes) return &PageWriter{ w: w, pageOffset: pageOffset,
pkg/ioutil/pagewriter_test.go+41 −0 modified@@ -17,6 +17,8 @@ package ioutil import ( "math/rand" "testing" + + "github.com/stretchr/testify/assert" ) func TestPageWriterRandom(t *testing.T) { @@ -111,6 +113,45 @@ func TestPageWriterOffset(t *testing.T) { } } +func TestPageWriterPageBytes(t *testing.T) { + cases := []struct { + name string + pageBytes int + expectPanic bool + }{ + { + name: "normal page bytes", + pageBytes: 4096, + expectPanic: false, + }, + { + name: "negative page bytes", + pageBytes: -1, + expectPanic: true, + }, + { + name: "zero page bytes", + pageBytes: 0, + expectPanic: true, + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + defaultBufferBytes = 1024 + cw := &checkPageWriter{pageBytes: tc.pageBytes, t: t} + if tc.expectPanic { + assert.Panicsf(t, func() { + NewPageWriter(cw, tc.pageBytes, 0) + }, "expected panic when pageBytes is %d", tc.pageBytes) + } else { + pw := NewPageWriter(cw, tc.pageBytes, 0) + assert.NotEqual(t, pw, nil) + } + }) + } +} + // checkPageWriter implements an io.Writer that fails a test on unaligned writes. type checkPageWriter struct { pageBytes int
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-65rp-cv85-263xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34038ghsaADVISORY
- github.com/etcd-io/etcd/commit/5a315ef88fbfa454e02d27b0b8acb4f89457cd90ghsaWEB
- github.com/etcd-io/etcd/pull/14022ghsaWEB
- github.com/etcd-io/etcd/pull/14452ghsaWEB
- github.com/golang/vulndb/issues/2016ghsaWEB
- go-review.googlesource.com/c/vulndb/+/524456ghsaWEB
- go-review.googlesource.com/c/vulndb/+/524456/2/data/excluded/GO-2023-2016.yamlghsaWEB
News mentions
0No linked articles in our index yet.