Panic Vulnerability in Go's Certificate Verify Function Affects MacOS
CVE-2022-27536

7.5HIGH

Key Information:

Vendor: Golang
Status: Go
Vendor: CVE Published:; 20 April 2022

What is CVE-2022-27536?

A vulnerability in the Certificate.Verify method within the crypto/x509 package of Go versions prior to 1.18.1 allows remote attackers to trigger a panic in TLS clients running on macOS when they encounter specifically crafted malformed certificates. This situation can cause a denial of service, potentially impacting the availability of services that rely on TLS communication.

References

https://groups.google.com/g/golang-announce

https://groups.google.com/g/golang-announce/c/oecdBNLOml8

https://security.gentoo.org/glsa/202208-02

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2022
Vulnerability Reserved
Mar 21, 2022

Golang

What is CVE-2022-27536?

References

CVSS V3.1

Timeline