CVE-2022-41715

Published: Oct 14, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.

Affected (2)

Products: Golang: Go

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.18.7
Golang Go	From 1.19.0 to 1.19.2

References (10)

https://go.dev/cl/439356

Source: security@golang.org

Patch

https://go.dev/issue/55949

Source: security@golang.org

Issue TrackingThird Party Advisory

https://groups.google.com/g/golang-announce/c/xtuG5faxtaU

Source: security@golang.org

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2022-1039

Source: security@golang.org

Vendor Advisory

https://security.gentoo.org/glsa/202311-09

Source: security@golang.org

https://go.dev/cl/439356

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://go.dev/issue/55949

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://groups.google.com/g/golang-announce/c/xtuG5faxtaU

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2022-1039

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.gentoo.org/glsa/202311-09

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.