CVE-2021-33198
published 2021-08-02CVE-2021-33198: In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.40%
87.3th percentile
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.15 1.15.9-5 (bullseye) | golang-1.15 1.15.9-5 (bullseye) |
| golang | go | < 1.15.13 | 1.15.13 |
| golang | go | >= 1.16.0 < 1.16.5 | 1.16.5 |
| msrc | azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q2pw-fq43-w78v: Go before 1
ghsa_unreviewed·2022-05-24
CVE-2021-33198 [HIGH] GHSA-q2pw-fq43-w78v: Go before 1
Go before 1.15.12 and 1.16.x before 1.16.5 attempts to allocate excessive memory (issue 2 of 2).
OSV
Panic on inputs with large exponents in math/big
osv·2022-02-17
CVE-2021-33198 Panic on inputs with large exponents in math/big
Panic on inputs with large exponents in math/big
Rat.SetString and Rat.UnmarshalText may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.
OSV
CVE-2021-33198: In Go before 1
osv·2021-08-02·CVSS 7.5
CVE-2021-33198 [HIGH] CVE-2021-33198: In Go before 1
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-11-01·CVSS 9.8
CVE-2017-12424 [CRITICAL] PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-12424, CVE-2021-3114, CVE-2021-31525, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-4034, CVE-2021-44716, CVE-2021-44717, CVE-2022-1664, CVE-2022-1705, CVE-2022-23772, CVE-2022-24675, CVE-2022-24921, CVE-2022-28327, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30631, CVE-2022-30632, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2022-41724, CVE-2022-41725, CVE-2023-24534, CVE-2023-24536, CVE-2023-24539, CVE-2023-29406, CVE-2023-29409, CVE-2023-39
Microsoft
In Go before 1.15.13 and 1.16.x before 1.16.5 there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
vendor_msrc·2021-08-10·CVSS 7.5
CVE-2021-33198 [HIGH] In Go before 1.15.13 and 1.16.x before 1.16.5 there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
In Go before 1.15.13 and 1.16.x before 1.16.5 there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Cus
Red Hat
golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
vendor_redhat·2021-03-10·CVSS 7.5
CVE-2021-33198 [HIGH] CWE-400 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
A flaw was found in Go, where it attempts to allocate excessive memory. This issue may cause panic or unrecoverable fatal error if passed inputs with very large exponents. The highest threat from this vulnerability is to system availability.
Statement: * Since OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.
* In Service Telemetry Framework, because the flaw has a lower impact and the package is not directly used by STF, no
Debian
CVE-2021-33198: golang-1.15 - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large ...
vendor_debian·2021·CVSS 7.5
CVE-2021-33198 [HIGH] CVE-2021-33198: golang-1.15 - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large ...
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
Scope: local
bullseye: resolved (fixed in 1.15.9-5)
No detection rules found.
No public exploits indexed.
2021-08-02
Published