PT-2022-16983 · Go+5 · Go+5

Juho Nurminen

Published

2022-03-03

Updated

2025-02-14

CVE-2022-24921

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.16.15 Go versions 1.17.x prior to 1.17.8

Description The issue allows for stack exhaustion via a deeply nested expression in the regexp.Compile function. This can be triggered by an extremely deeply nested expression, typically on the order of 2MB, causing the program to exit due to goroutine stack exhaustion. This issue is particularly relevant on 64-bit platforms.

Recommendations For Go versions prior to 1.16.15, update to version 1.16.15 or later. For Go versions 1.17.x prior to 1.17.8, update to version 1.17.8 or later. As a temporary workaround, consider restricting the use of deeply nested expressions in the regexp.Compile function to minimize the risk of exploitation.

Fix

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674

Related Identifiers

ALT-PU-2022-1429

ALT-PU-2022-1435

ALT-PU-2022-1437

ALT-PU-2022-2873

AZL-79112

AZL-8898

BIT-GOLANG-2022-24921

CESA-2022_5337

CVE-2022-24921

DLA-2985-1

DLA-2986-1

DLA-3395-1

DLA-3395-2

GO-2021-0347

MGASA-2022-0126

OESA-2022-1590

OESA-2025-1122

OESA-2025-1123

OPENSUSE-SU-2022_1164-1

OPENSUSE-SU-2022_1167-1

OPENSUSE-SU-2024:11892-1

OPENSUSE-SU-2024:11893-1

RHSA-2022:5068

RHSA-2022:5337

RHSA-2022:5415

RHSA-2022:5729

RHSA-2022:5799

RHSA-2022:6042

RHSA-2022:6277

RHSA-2022_5337

RHSA-2022_5799

RHSA-2023:0407

RLSA-2022:5337

RLSA-2022:5799

SUSE-SU-2022:1164-1

SUSE-SU-2022:1167-1

SUSE-SU-2022_1164-1

SUSE-SU-2022_1167-1

Affected Products

Alt Linux

Centos

Red Hat

Rocky Linux

Suse

PT-2022-16983 · Go+5 · Go+5

CVE-2022-24921

Weakness Enumeration

Related Identifiers

Affected Products

References · 74