Panic on large handshake records in crypto/tls
CVE-2022-41724

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Crypto/tls
Vendor: CVE Published:; 28 February 2023

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2022-41724?

The vulnerability arises when large TLS handshake records are sent, potentially causing panic in both clients and servers. Specifically, this issue impacts all TLS 1.3 clients and those TLS 1.2 clients that have session resumption enabled. Furthermore, TLS 1.3 servers that request client certificates are also affected. The improper handling of the handshake records can lead to crashes, disrupting secure communications and creating security risks. Developers are advised to apply the latest security updates to mitigate this issue.

Affected Version(s)

crypto/tls 0 < 1.19.6

crypto/tls 1.20.0-0 < 1.20.1

References

https://go.dev/issue/58001

https://go.dev/cl/468125

https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 28, 2023
Vulnerability Reserved
Sep 28, 2022

Credit

Marten Seemann