CVE-2021-27918
published 2021-03-11CVE-2021-27918: encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.54%
83.0th percentile
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.15 1.15.9-1 (bullseye) | golang-1.15 1.15.9-1 (bullseye) |
| golang | go | < 1.15.9 | 1.15.9 |
| golang | go | >= 1.16.0 < 1.16.1 | 1.16.1 |
| msrc | azl3_golang_1.23.12-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| paloalto | pan-os | — | — |
| redhat | openshift_serverless | < 1.17.0 | 1.17.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2018-6594 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2023-38546 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Red Hat
serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196
vendor_redhat·2021-09-13·CVSS 7.5
CVE-2021-3703 [HIGH] serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196
serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196
It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless 1.16.0 and Serverless client kn 1.16.0. These have been fixed with Serverless 1.17.0.
CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed for Serverless 1.16.0 and Serverless client kn 1.16.0.
Statement: The flaw is moderate as the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 are moderate. The score is assigned as per the highest score given in CVE-2021-27918 and CVE-2021-33196.
Package: knative-eventing (OpenShift Serverless) - Not affected
Package: knative-serving (OpenShift Serverless) - Not affected
Red Hat
serverless: incomplete fix of CVE-2021-27918
vendor_redhat·2021-08-18·CVSS 7.5
CVE-2021-3724 [HIGH] CWE-477 serverless: incomplete fix of CVE-2021-27918
serverless: incomplete fix of CVE-2021-27918
[REJECTED CVE] A version of golang that is affected by CVE-2021-27918 was incorrectly shipped in the Red Hat Serverless 1.16.0 release.
Statement: This flaw was found to be a duplicate of CVE-2021-3703. Please see https://access.redhat.com/security/cve/CVE-2021-3703 for information about affected products and security errata.
Package: golang (OpenShift Serverless) - Affected
Red Hat
golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader
vendor_redhat·2021-03-10·CVSS 7.5
CVE-2021-27918 [HIGH] CWE-835 golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader
golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
An infinite loop vulnerability was found in golang. If an application defines a custom token parser initializing with `xml.NewTokenDecoder` it is possible for the parsing loop to never return. An attacker could potentially craft a malicious XML document which has an XML element with `EOF` within it, causing the parsing application to endlessly loop, resulting in a Denial of Service (DoS).
Statement: OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), Red
Microsoft
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode D
vendor_msrc·2021-03-09·CVSS 7.5
CVE-2021-27918 [HIGH] CWE-835 encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode D
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode DecodeElement or Skip method.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is id
Debian
CVE-2021-27918: golang-1.15 - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop i...
vendor_debian·2021·CVSS 7.5
CVE-2021-27918 [HIGH] CVE-2021-27918: golang-1.15 - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop i...
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
Scope: local
bullseye: resolved (fixed in 1.15.9-1)
GHSA
GHSA-x358-pmcq-q2x3: It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless 1
ghsa_unreviewed·2022-08-27·CVSS 7.5
CVE-2021-3703 [HIGH] GHSA-x358-pmcq-q2x3: It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless 1
It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless 1.16.0 and Serverless client kn 1.16.0. These have been fixed with Serverless 1.17.0.
GHSA
GHSA-8mmp-c685-53vw: encoding/xml in Go before 1
ghsa_unreviewed·2022-05-24
CVE-2021-27918 [HIGH] CWE-835 GHSA-8mmp-c685-53vw: encoding/xml in Go before 1
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
OSV
Infinite loop when decoding inputs in encoding/xml
osv·2022-02-17
CVE-2021-27918 Infinite loop when decoding inputs in encoding/xml
Infinite loop when decoding inputs in encoding/xml
The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.
OSV
CVE-2021-27918: encoding/xml in Go before 1
osv·2021-03-11·CVSS 7.5
CVE-2021-27918 [HIGH] CVE-2021-27918: encoding/xml in Go before 1
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-03-11
Published