CVE-2020-14040
published 2020-06-17CVE-2020-14040: The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.85%
76.6th percentile
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-golang-x-text | < golang-golang-x-text 0.3.3-1 (bookworm) | golang-golang-x-text 0.3.3-1 (bookworm) |
| fedoraproject | fedora | — | — |
| golang.org | x_text | >= 0 < 0.3.3 | 0.3.3 |
| golang | text | < 0.3.3 | 0.3.3 |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2018-6594 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2023-38546 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Ubuntu
Go Text vulnerabilities
vendor_ubuntu·2023-02-16·CVSS 7.5
CVE-2020-14040 [HIGH] Go Text vulnerabilities
Title: Go Text vulnerabilities
Summary: Several security issues were fixed in Go Text.
It was discovered that Go Text incorrectly handled certain encodings. An
attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-14040)
It was discovered that Go Text incorrectly handled certain BCP 47 language
tags. An attacker could possibly use this issue to cause a denial of service.
CVE-2020-28851, CVE-2020-28852 and CVE-2021-38561 affected only
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-28851, CVE-2020-28852, CVE-2021-38561, CVE-2022-32149)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
vendor_redhat·2020-06-17·CVSS 7.5
CVE-2020-14040 [HIGH] CWE-835 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker i
Debian
CVE-2020-14040: golang-golang-x-text - The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode t...
vendor_debian·2020·CVSS 7.5
CVE-2020-14040 [HIGH] CVE-2020-14040: golang-golang-x-text - The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode t...
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Scope: local
bookworm: resolved (fixed in 0.3.3-1)
bullseye: resolved (fixed in 0.3.3-1)
forky: resolved (fixed in 0.3.3-1)
sid: resolved (fixed in 0.3.3-1)
trixie: resolved (fixed in 0.3.3-1)
OSV
golang-golang-x-text, golang-x-text vulnerabilities
osv·2023-02-16·CVSS 7.5
CVE-2020-14040 [HIGH] golang-golang-x-text, golang-x-text vulnerabilities
golang-golang-x-text, golang-x-text vulnerabilities
It was discovered that Go Text incorrectly handled certain encodings. An
attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-14040)
It was discovered that Go Text incorrectly handled certain BCP 47 language
tags. An attacker could possibly use this issue to cause a denial of service.
CVE-2020-28851, CVE-2020-28852 and CVE-2021-38561 affected only
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-28851, CVE-2020-28852, CVE-2021-38561, CVE-2022-32149)
GHSA
golang.org/x/text Infinite loop
ghsa·2021-05-18
CVE-2020-14040 [MEDIUM] CWE-400 golang.org/x/text Infinite loop
golang.org/x/text Infinite loop
Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
### Specific Go Packages Affected
golang.org/x/text/encoding/unicode
golang.org/x/text/transform
OSV
golang.org/x/text Infinite loop
osv·2021-05-18
CVE-2020-14040 [MEDIUM] golang.org/x/text Infinite loop
golang.org/x/text Infinite loop
Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
### Specific Go Packages Affected
golang.org/x/text/encoding/unicode
golang.org/x/text/transform
OSV
Infinite loop when decoding some inputs in golang.org/x/text
osv·2021-04-14
CVE-2020-14040 Infinite loop when decoding some inputs in golang.org/x/text
Infinite loop when decoding some inputs in golang.org/x/text
An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.
OSV
CVE-2020-14040: The x/text package before 0
osv·2020-06-17·CVSS 7.5
CVE-2020-14040 [HIGH] CVE-2020-14040: The x/text package before 0
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-14040 golang: golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash [epel-all]
bugzilla·2020-07-03·CVSS 7.5
CVE-2020-14040 [HIGH] CVE-2020-14040 golang: golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash [epel-all]
CVE-2020-14040 golang: golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Bugzilla
CVE-2020-14040 golang: golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash [fedora-all]
bugzilla·2020-07-03·CVSS 7.5
CVE-2020-14040 [HIGH] CVE-2020-14040 golang: golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash [fedora-all]
CVE-2020-14040 golang: golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messa
Bugzilla
CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
bugzilla·2020-07-03·CVSS 7.5
CVE-2020-14040 [HIGH] CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Upstream Reference:
https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0?pli=1
Discussion:
Created golang tracking bugs for this issue:
Affects: epel-all [bug 1853654]
Affects: fedora-all [bug 1853653]
---
Git commit: https://go-review.g
https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/
2020-06-17
Published