PT-2021-20075 · Google+4 · Go+5

Andrew Thornton

Published

2021-02-19

Updated

2026-04-07

CVE-2021-33194

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions golang.org/x/net versions prior to v0.0.0-20210520170846-37e1c6afe023 Go versions prior to 1.15.13 and versions 1.16.x through 1.16.4

Description The issue allows attackers to cause a denial of service via crafted ParseFragment input, resulting in an infinite loop. An attacker can craft an input to ParseFragment that causes it to enter an infinite loop and never return.

Recommendations For golang.org/x/net versions prior to v0.0.0-20210520170846-37e1c6afe023, update to version v0.0.0-20210520170846-37e1c6afe023 or later. For Go versions prior to 1.15.13, update to version 1.15.13 or later. For Go versions 1.16.x through 1.16.4, update to version 1.16.5 or later. As a temporary workaround, consider disabling the ParseFragment function until a patch is available.

Exploit

Fix

DoS

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835

Related Identifiers

ALT-PU-2021-1376

ALT-PU-2021-1936

ALT-PU-2021-1940

ALT-PU-2021-1941

BIT-GOLANG-2021-33194

CVE-2021-33194

GHSA-83G2-8M93-V3W7

GO-2021-0238

USN-8089-2

USN-8089-3

Affected Products

Alt Linux

Astra Linux

Linuxmint

Ubuntu

Golang.Org/X/Net

PT-2021-20075 · Google+4 · Go+5

CVE-2021-33194

Weakness Enumeration

Related Identifiers

Affected Products

References · 31