Stack Exhaustion in Deeply Nested Structures Affects Decode Product
CVE-2024-34156

Currently unrated

Key Information:

Vendor: Go Standard Library
Status: Encoding/gob
Vendor: CVE Published:; 6 September 2024

What is CVE-2024-34156?

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected Version(s)

encoding/gob 0 < 1.22.7

encoding/gob 1.23.0-0 < 1.23.1

References

https://go.dev/cl/611239

https://go.dev/issue/69139

https://groups.google.com/g/golang-dev/c/S9POB9NCTdk

Timeline

Vulnerability published
Sep 6, 2024

Credit

Md Sakib Anwar of The Ohio State University ([email protected])

Go Standard Library

What is CVE-2024-34156?

Affected Version(s)

References

Timeline

Credit