CVE-2022-28327
published 2022-04-20CVE-2022-28327: The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.96%
89.2th percentile
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | extra_packages_for_enterprise_linux | — | — |
| fedoraproject | extra_packages_for_enterprise_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang | go | < 1.17.9 | 1.17.9 |
| golang | go | >= 1.18.0 < 1.18.1 | 1.18.1 |
| msrc | cbl2_golang_1.18.3-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_golang_1.18.3-1_on_cbl_mariner_1.0 | — | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_msrc7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-11-01·CVSS 9.8
CVE-2017-12424 [CRITICAL] PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-12424, CVE-2021-3114, CVE-2021-31525, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-4034, CVE-2021-44716, CVE-2021-44717, CVE-2022-1664, CVE-2022-1705, CVE-2022-23772, CVE-2022-24675, CVE-2022-24921, CVE-2022-28327, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30631, CVE-2022-30632, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2022-41724, CVE-2022-41725, CVE-2023-24534, CVE-2023-24536, CVE-2023-24539, CVE-2023-29406, CVE-2023-29409, CVE-2023-39
Oracle
Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (Golang Go) — CVE-2022-28327
vendor_oracle·2023-04-15·CVSS 7.5
CVE-2022-28327 [HIGH] Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (Golang Go) — CVE-2022-28327
Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (Golang Go) vulnerability
CVE: CVE-2022-28327
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2023 (APR 2023)
CISA ICS
Siemens Brownfield Connectivity Gateway
cisa_ics·2023-02-16·CVSS 7.5
[HIGH] Siemens Brownfield Connectivity Gateway
ICS Advisory
##
Siemens Brownfield Connectivity Gateway
Release DateFebruary 16, 2023
Alert CodeICSA-23-047-04
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Brownfield Connectivity—Gateway
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Uncontrolled Resource Consumption, Exposure of Resource to Wrong S
Microsoft
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
vendor_msrc·2022-04-12·CVSS 7.5
CVE-2022-28327 [HIGH] The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action Re
Red Hat
golang: crypto/elliptic: panic caused by oversized scalar
vendor_redhat·2022-04-12·CVSS 7.5
CVE-2022-28327 [HIGH] CWE-190 golang: crypto/elliptic: panic caused by oversized scalar
golang: crypto/elliptic: panic caused by oversized scalar
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability.
Statement: A moderate severity flaw was found in Go’s crypto/elliptic package in the generic P-256 implementation. If a scalar input longer than 32 bytes is supplied, P256().ScalarMult or P256().ScalarBaseMult can panic, causing the application to crash. Indirect uses via crypto/ecdsa and crypto/tls are not affected. This issue impacts availability but does no
OSV
Panic due to large inputs affecting P-256 curves in crypto/elliptic
osv·2022-05-20
CVE-2022-28327 Panic due to large inputs affecting P-256 curves in crypto/elliptic
Panic due to large inputs affecting P-256 curves in crypto/elliptic
A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
GHSA
GHSA-v5qw-m6mv-3q79: The generic P-256 feature in crypto/elliptic in Go before 1
ghsa_unreviewed·2022-04-21
CVE-2022-28327 [HIGH] GHSA-v5qw-m6mv-3q79: The generic P-256 feature in crypto/elliptic in Go before 1
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
OSV
CVE-2022-28327: The generic P-256 feature in crypto/elliptic in Go before 1
osv·2022-04-20·CVSS 7.5
CVE-2022-28327 [HIGH] CVE-2022-28327: The generic P-256 feature in crypto/elliptic in Go before 1
The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
No detection rules found.
No public exploits indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announcehttps://groups.google.com/g/golang-announce/c/oecdBNLOml8https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TYZC4OAY54TO75FBEFAPV5G7O4D5TM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3BMW5QGX53CMIJIZWKXFKBJX2C5GWTY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NY6GEAJMNKKMU5H46QO4D7D6A24KSPXE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RCRSABD6CUDIZULZPZL5BJ3ET3A2NEJP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/https://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20220915-0010/https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announcehttps://groups.google.com/g/golang-announce/c/oecdBNLOml8https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TYZC4OAY54TO75FBEFAPV5G7O4D5TM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3BMW5QGX53CMIJIZWKXFKBJX2C5GWTY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NY6GEAJMNKKMU5H46QO4D7D6A24KSPXE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RCRSABD6CUDIZULZPZL5BJ3ET3A2NEJP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/https://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20220915-0010/
2022-04-20
Published