CVE-2021-41771
published 2021-11-08CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
4.37%
90.1th percentile
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | golang-1.15 | < golang-1.15 1.15.15-1~deb11u2 (bullseye) | golang-1.15 1.15.15-1~deb11u2 (bullseye) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang | go | < 1.16.10 | 1.16.10 |
| golang | go | >= 1.17.0 < 1.17.3 | 1.17.3 |
| msrc | azl3_golang_1.23.8-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_golang_1.17.8-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_golang_1.16.10-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g56w-5r6h-483w: ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1
ghsa_unreviewed·2022-05-24
CVE-2021-41771 [MEDIUM] CWE-119 GHSA-g56w-5r6h-483w: ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
OSV
Panic on invalid symbol tables in debug/macho
osv·2022-01-13
CVE-2021-41771 Panic on invalid symbol tables in debug/macho
Panic on invalid symbol tables in debug/macho
Calling File.ImportedSymbols on a loaded file which contains an invalid dynamic symbol table command can cause a panic, in particular if the encoded number of undefined symbols is larger than the number of symbols in the symbol table.
OSV
CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1
osv·2021-11-08·CVSS 7.5
CVE-2021-41771 [HIGH] CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
CISA ICS
Siemens Brownfield Connectivity Gateway
cisa_ics·2023-02-16·CVSS 7.5
[HIGH] Siemens Brownfield Connectivity Gateway
ICS Advisory
##
Siemens Brownfield Connectivity Gateway
Release DateFebruary 16, 2023
Alert CodeICSA-23-047-04
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Brownfield Connectivity—Gateway
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Uncontrolled Resource Consumption, Exposure of Resource to Wrong S
Microsoft
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer aka an out-of-bounds slice situation.
vendor_msrc·2021-11-09·CVSS 7.5
CVE-2021-41771 [HIGH] CWE-119 ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer aka an out-of-bounds slice situation.
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer aka an out-of-bounds slice situation.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to ref
Red Hat
golang: debug/macho: invalid dynamic symbol table command can cause panic
vendor_redhat·2021-10-14·CVSS 7.5
CVE-2021-41771 [HIGH] CWE-119 golang: debug/macho: invalid dynamic symbol table command can cause panic
golang: debug/macho: invalid dynamic symbol table command can cause panic
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service.
Statement: For Red Hat Service Telemetry Framework, because the flaw has a l
Debian
CVE-2021-41771: golang-1.15 - ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1....
vendor_debian·2021·CVSS 7.5
CVE-2021-41771 [HIGH] CVE-2021-41771: golang-1.15 - ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1....
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
Scope: local
bullseye: resolved (fixed in 1.15.15-1~deb11u2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announce/c/0fM21h43archttps://lists.debian.org/debian-lts-announce/2022/01/msg00016.htmlhttps://lists.debian.org/debian-lts-announce/2022/01/msg00017.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/https://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20211210-0003/https://www.oracle.com/security-alerts/cpujul2022.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announce/c/0fM21h43archttps://lists.debian.org/debian-lts-announce/2022/01/msg00016.htmlhttps://lists.debian.org/debian-lts-announce/2022/01/msg00017.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/https://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20211210-0003/https://www.oracle.com/security-alerts/cpujul2022.html
2021-11-08
Published