Stack Exhaustion Vulnerability in Go Programming Language
CVE-2022-24921

7.5HIGH

Key Information:

Vendor: Golang
Status: Go
Vendor: CVE Published:; 5 March 2022

What is CVE-2022-24921?

The Go programming language is impacted by a stack exhaustion vulnerability due to the handling of deeply nested expressions in the regexp.Compile function. This issue affects versions before 1.16.15 and 1.17.x prior to 1.17.8, allowing crafted input to lead to excessive stack memory consumption, potentially crippling applications relying on this parsing feature.

References

https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk

https://security.netapp.com/advisory/ntap-20220325-0010/

https://lists.debian.org/debian-lts-announce/2022/04/msg0...

mailing-list

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2022
Vulnerability Reserved
Feb 10, 2022

Golang

What is CVE-2022-24921?

References

CVSS V3.1

Timeline