PT-2022-18962 · Go+5 · Go+5

Published

2022-04-12

Updated

2025-02-14

CVE-2022-28327

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.17.9 Go versions 1.18.x prior to 1.18.1

Description The issue allows a panic via long scalar input in the generic P-256 feature in crypto/elliptic. A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic.

Recommendations For Go versions prior to 1.17.9, update to version 1.17.9 or later. For Go versions 1.18.x prior to 1.18.1, update to version 1.18.1 or later. As a temporary workaround, consider restricting the use of long scalar inputs in the P256().ScalarMult and P256().ScalarBaseMult functions until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALT-PU-2022-1689

ALT-PU-2022-1707

ALT-PU-2022-2873

ALT-PU-2023-1205

AZL-9547

BIT-GOLANG-2022-28327

CESA-2022_5337

CVE-2022-28327

GO-2022-0435

MGASA-2022-0171

OESA-2022-1661

OESA-2025-1122

OESA-2025-1123

OPENSUSE-SU-2022_1410-1

OPENSUSE-SU-2022_1411-1

OPENSUSE-SU-2024:11991-1

OPENSUSE-SU-2024:12004-1

RHSA-2022:5068

RHSA-2022:5337

RHSA-2022:5415

RHSA-2022:5729

RHSA-2022:5799

RHSA-2022:6042

RHSA-2022:6094

RHSA-2022:6155

RHSA-2022:6277

RHSA-2022_5337

RHSA-2022_5799

RHSA-2023:3914

RHSA-2023:4003

RLSA-2022:5337

RLSA-2022:5799

SUSE-SU-2022:1410-1

SUSE-SU-2022:1411-1

SUSE-SU-2023:2312-1

Affected Products

Alt Linux

Centos

Red Hat

Rocky Linux

Suse

PT-2022-18962 · Go+5 · Go+5

CVE-2022-28327

Related Identifiers

Affected Products

References · 130