PT-2022-18473 · Go+2 · Go+2

Published

2022-04-13

Updated

2024-06-15

CVE-2022-27536

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Go versions 1.18.0 through 1.18.0

Description The issue arises when the Certificate.Verify function in crypto/x509 is presented with certain malformed certificates, causing it to panic on macOS. This can be exploited by a remote TLS server to cause a TLS client to panic. The problem occurs when verifying certificate chains that contain non-compliant certificates according to RFC 5280, which can be delivered through TLS and cause a crypto/tls or net/http client to crash.

Recommendations For Go versions 1.18.0, update to version 1.18.1 or later to resolve the issue. As a temporary workaround, consider restricting access to TLS servers that may present malformed certificates until a patch is available.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

ALT-PU-2022-1689

ALT-PU-2022-1707

ALT-PU-2022-2873

ALT-PU-2023-1205

AZL-78958

BIT-GOLANG-2022-27536

CVE-2022-27536

GO-2022-0434

OPENSUSE-SU-2022_1410-1

OPENSUSE-SU-2024:11991-1

SUSE-SU-2022:1410-1

SUSE-SU-2023:2312-1

Affected Products

Alt Linux

Suse

PT-2022-18473 · Go+2 · Go+2

CVE-2022-27536

Weakness Enumeration

Related Identifiers

Affected Products

References · 82