P-256 Feature Vulnerability in Go Crypto Library
CVE-2022-28327

7.5HIGH

Key Information:

Vendor: Golang
Status: Go
Vendor: CVE Published:; 20 April 2022

What is CVE-2022-28327?

A vulnerability in the P-256 implementation of the Go crypto library allows attackers to exploit the system by feeding excessively long scalar inputs, which can lead to a panic. This flaw affects versions of Go before 1.17.9 and 1.18.x prior to 1.18.1, creating potential risks for applications utilizing this cryptographic functionality. Developers are urged to update to the latest versions to mitigate this issue.

References

https://groups.google.com/g/golang-announce

https://groups.google.com/g/golang-announce/c/oecdBNLOml8

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2022
Vulnerability Reserved
Apr 1, 2022

Golang

What is CVE-2022-28327?

References

CVSS V3.1

Timeline