PT-2021-22018 · Google+6 · Go+6
Ben Lubar
·
Published
2021-10-12
·
Updated
2025-09-29
·
CVE-2021-38297
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Go versions prior to 1.16.9
Go versions 1.17.x prior to 1.17.2
Description:
The issue is a buffer overflow that occurs when large arguments are passed in a function invocation from a WASM module, specifically when using GOARCH=wasm and GOOS=js. This can cause portions of the module to be overwritten with data from the arguments.
Recommendations:
For Go versions prior to 1.16.9, update to version 1.16.9 or later.
For Go versions 1.17.x prior to 1.17.2, update to version 1.17.2 or later.
As a temporary workaround, consider rebuilding any modules and replacing the wasm exec.js file as described in the official Go documentation.
Restrict the use of large arguments in function invocations from WASM modules to minimize the risk of exploitation.
Exploit
Fix
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Go
Red Hat
Rocky Linux
Suse