CVE-2021-44717

Name of the Vulnerable Software and Affected Versions Go versions 1.16.12 and earlier, 1.17.x before 1.17.5

Description The issue allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. This can result in misdirected I/O, such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. The bug can be provoked when a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package).

Recommendations For versions 1.16.12 and earlier, update to version 1.16.12 or later. For versions 1.17.x before 1.17.5, update to version 1.17.5 or later. As a temporary workaround for users who cannot immediately update, consider raising the per-process file descriptor limit to mitigate the bug.