Kamil Trzciński

**Name of the Vulnerable Software and Affected Versions** Go versions 1.16.12 and earlier, 1.17.x before 1.17.5 **Description** The issue allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. This can result in misdirected I/O, such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. The bug can be provoked when a Go program running on a Unix system is out of file descriptors and calls `syscall.ForkExec` (including indirectly by using the `os/exec` package). **Recommendations** For versions 1.16.12 and earlier, update to version 1.16.12 or later. For versions 1.17.x before 1.17.5, update to version 1.17.5 or later. As a temporary workaround for users who cannot immediately update, consider raising the per-process file descriptor limit to mitigate the bug.