CVE-2020-14040

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions x/text package versions prior to 0.3.3

Description The issue is related to the UTF-16 decoder in the encoding/unicode component, which could enter an infinite loop if a single byte is provided to a UTF16 decoder instantiated with UseBOM or ExpectBOM. This can cause the program to crash or run out of memory. An attacker could trigger this issue by providing a specially crafted input, potentially leading to a denial of service. The String function on the Decoder or passing the Decoder to golang.org/x/text/transform.String can also trigger the infinite loop.

Recommendations For versions prior to 0.3.3, update to version 0.3.3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of UseBOM or ExpectBOM when instantiating UTF16 decoders until a patch is applied. Restrict access to user-supplied input to minimize the risk of exploitation.

Exploit

Fix

Infinite Loop

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835CWE-400

Related Identifiers

ALSA-2020:4694

AZL-44364

AZL-44877

CESA-2020_3665

CESA-2020_4694

CVE-2020-14040

GHSA-5RCV-M4M3-HFH7

GO-2020-0015

RHSA-2020:3369

RHSA-2020:3665

RHSA-2020:4214

RHSA-2020:4297

RHSA-2020:4694

RHSA-2020:5054

RHSA-2020:5055

RHSA-2020:5056

RHSA-2020:5606

RHSA-2020_3665

RHSA-2020_4694

RLSA-2020:4694

USN-5873-1

Affected Products

Almalinux

Centos

Linuxmint

Red Hat

Rocky Linux

Ubuntu

X/Text

CVE-2020-14040

Weakness Enumeration

Related Identifiers

Affected Products

References · 71