Panic in Go's Math Library Affecting Multiple Versions
CVE-2021-33198

7.5HIGH

Key Information:

Vendor

Golang

Status
Go
Vendor
CVE Published:
2 August 2021

What is CVE-2021-33198?

In the Go programming language, prior to versions 1.15.13 and 1.16.5, the math/big.Rat SetString and UnmarshalText methods are vulnerable to a panic situation when processing large exponent values. This can cause applications using these methods to crash unexpectedly, potentially leading to wider application availability issues. Developers utilizing these functionalities should review their implementations to safeguard against potential panics.

References

https://groups.google.com/g/golang-announce
x_refsource_MISC
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
x_refsource_MISC
https://security.gentoo.org/glsa/202208-02
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.