CVE-2020-16845
published 2020-08-06CVE-2020-16845: Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
4.73%
90.7th percentile
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | golang-1.15 | < golang-1.15 1.15~rc2-1 (bullseye) | golang-1.15 1.15~rc2-1 (bullseye) |
| debian | golang-github-ulikunitz-xz | < golang-github-ulikunitz-xz 0.5.6-2 (bookworm) | golang-github-ulikunitz-xz 0.5.6-2 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | ulikunitz_xz | >= 0 < 0.5.8 | 0.5.8 |
| golang | go | < 1.13.15 | 1.13.15 |
| golang | go | >= 1.14 < 1.14.7 | 1.14.7 |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_golang_1.15.13-1_on_cbl_mariner_1.0 | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| ulikunitz | xz | < 0.5.8 | 0.5.8 |
| xz_project | xz | < 0.5.8 | 0.5.8 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Unbounded read from invalid inputs in encoding/binary
osv·2022-07-01
CVE-2020-16845 Unbounded read from invalid inputs in encoding/binary
Unbounded read from invalid inputs in encoding/binary
ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs.
Certain invalid inputs to ReadUvarint or ReadVarint can cause these functions to read an unlimited number of bytes from the ByteReader parameter before returning an error. This can lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint or ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.
GHSA
Withdrawn Advisory: Infinite loop in xz
ghsa·2021-12-16
CVE-2020-16845 [HIGH] CWE-835 Withdrawn Advisory: Infinite loop in xz
Withdrawn Advisory: Infinite loop in xz
### Withdrawn Advisory
This advisory has been withdrawn because alerts cannot be issued for the Go standard library at this time.
### Original Description
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
OSV
Withdrawn Advisory: Infinite loop in xz
osv·2021-12-16
CVE-2020-16845 [HIGH] Withdrawn Advisory: Infinite loop in xz
Withdrawn Advisory: Infinite loop in xz
### Withdrawn Advisory
This advisory has been withdrawn because alerts cannot be issued for the Go standard library at this time.
### Original Description
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
GHSA
github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS)
ghsa·2021-05-25·CVSS 7.5
CVE-2021-29482 [HIGH] CWE-835 github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS)
github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS)
### Impact
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input.
### Patches
The problem has been fixed in release v0.5.8.
### Workarounds
Limit the size of the compressed file input to a reasonable size for your use case.
### References
The standard library had recently the same issue and got the [CVE-2020-16845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16845) allocated.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [xz](https://github.com/ulikunitz/xz/issues).
OSV
github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS)
osv·2021-05-25·CVSS 7.5
CVE-2021-29482 [HIGH] github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS)
github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS)
### Impact
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input.
### Patches
The problem has been fixed in release v0.5.8.
### Workarounds
Limit the size of the compressed file input to a reasonable size for your use case.
### References
The standard library had recently the same issue and got the [CVE-2020-16845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16845) allocated.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [xz](https://github.com/ulikunitz/xz/issues).
OSV
CVE-2021-29482: xz is a compression and decompression library focusing on the xz format completely written in Go
osv·2021-04-28·CVSS 7.5
CVE-2021-29482 [HIGH] CVE-2021-29482: xz is a compression and decompression library focusing on the xz format completely written in Go
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
OSV
CVE-2020-16845: Go before 1
osv·2020-08-06·CVSS 7.5
CVE-2020-16845 [HIGH] CVE-2020-16845: Go before 1
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
Ubuntu
Go vulnerability
vendor_ubuntu·2023-05-23
CVE-2020-16845 Go vulnerability
Title: Go vulnerability
Summary: Go applications could be made to hang or crash if they received
specially crafted input.
USN-5725-1 fixed a vulnerability in Go. This update provides
the corresponding update for Ubuntu 16.04 LTS.
Original advisory details:
Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston
Van Loon discovered that Go incorrectly handled certain inputs.
An attacker could possibly use this issue to cause Go applications
to hang or crash, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
You still need to update all packages built with the affected version.
Ubuntu
Go vulnerability
vendor_ubuntu·2022-11-15
CVE-2020-16845 Go vulnerability
Title: Go vulnerability
Summary: Go applications could be made to hang or crash if they received
specially crafted input.
Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston
Van Loon discovered that Go incorrectly handled certain inputs.
An attacker could possibly use this issue to cause Go applications
to hang or crash, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
You still need to update all packages built with the affected version.
Debian
CVE-2021-29482: golang-github-ulikunitz-xz - xz is a compression and decompression library focusing on the xz format complete...
vendor_debian·2021·CVSS 7.5
CVE-2021-29482 [HIGH] CVE-2021-29482: golang-github-ulikunitz-xz - xz is a compression and decompression library focusing on the xz format complete...
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
Scope: local
bookworm: resolved (fixed in 0.5.6-2)
bullseye: resolved (fixed in 0.5.6-2)
forky: resolved (fixed in 0.5.6-2)
sid: resolved (fixed in 0.5.6-2)
trixie: resolved (fixed in 0.5.6-2)
Red Hat
ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
vendor_redhat·2020-08-19·CVSS 7.5
CVE-2021-29482 [HIGH] CWE-835 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
A flaw was found in github.com/ulikunitz/xz. The function readUvarint may not terminate a loop what could lead to denial of service (DoS).
Statement: In OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes
Microsoft
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
vendor_msrc·2020-08-11·CVSS 7.5
CVE-2020-16845 [HIGH] CWE-835 Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Custo
Red Hat
golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
vendor_redhat·2020-08-06·CVSS 7.5
CVE-2020-16845 [HIGH] CWE-835 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
A flaw was found in the Go encoding/binary package. Certain invalid inputs to the ReadUvarint or the ReadVarint causes those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This flaw possibly leads to processing more input than expected. The highest threat from this vulnerability is to system availability.
Statement: OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization components are primarily written in Go, meaning that any compo
Debian
CVE-2020-16845: golang-1.15 - Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadU...
vendor_debian·2020·CVSS 7.5
CVE-2020-16845 [HIGH] CVE-2020-16845: golang-1.15 - Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadU...
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
Scope: local
bullseye: resolved (fixed in 1.15~rc2-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
bugzilla·2020-08-07·CVSS 7.5
CVE-2020-16845 [HIGH] CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
References:
https://groups.google.com/forum/#!topic/golang-announce/_ulYYcIWg3Q
https://groups.google.com/forum/#!topic/golang-announce/NyPIaucMgXo
Discussion:
Created golang tracking bugs for this issue:
Affects: epel-all [bug 1867100]
Affects: fedora-all [bug 1867101]
---
External References:
https://groups.google.com/g/golang-announce/c/NyPIaucMgXo
---
upstream patch: https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258%5E%21/
---
golang-github-ulikunitz-xz is also affected and fix is included in 0.5.8.
---
Bugzilla
CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs [fedora-all]
bugzilla·2020-08-07·CVSS 7.5
CVE-2020-16845 [HIGH] CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs [fedora-all]
CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: thi
Bugzilla
CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs [epel-all]
bugzilla·2020-08-07·CVSS 7.5
CVE-2020-16845 [HIGH] CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs [epel-all]
CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this is
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.htmlhttps://groups.google.com/forum/#%21topic/golang-announce/NyPIaucMgXohttps://groups.google.com/forum/#%21topic/golang-announce/_ulYYcIWg3Qhttps://lists.debian.org/debian-lts-announce/2020/11/msg00037.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00038.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RCFJTMKHY5ICGEM5BUFUEDDGSPJ25XU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWRBAH4UZJO3RROQ72SYCUPFCJFA22FO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4/https://security.netapp.com/advisory/ntap-20200924-0002/https://www.debian.org/security/2021/dsa-4848https://www.oracle.com/security-alerts/cpuApr2021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.htmlhttps://groups.google.com/forum/#%21topic/golang-announce/NyPIaucMgXohttps://groups.google.com/forum/#%21topic/golang-announce/_ulYYcIWg3Qhttps://lists.debian.org/debian-lts-announce/2020/11/msg00037.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00038.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RCFJTMKHY5ICGEM5BUFUEDDGSPJ25XU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWRBAH4UZJO3RROQ72SYCUPFCJFA22FO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4/https://security.netapp.com/advisory/ntap-20200924-0002/https://www.debian.org/security/2021/dsa-4848https://www.oracle.com/security-alerts/cpuApr2021.html
2020-08-06
Published