CVE-2022-28327 — Integer Overflow or Wraparound in GO

Severity

7.5HIGHNVD

EPSS

0.2%

top 60.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedApr 20

Latest updateApr 15

Description

The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

▶NVDgolang/go1.18.0 — 1.18.1+1

Also affects: Fedora 34, 35, 36

OSV

Panic due to large inputs affecting P-256 curves in crypto/elliptic↗2022-05-20

▶

GHSA

GHSA-v5qw-m6mv-3q79: The generic P-256 feature in crypto/elliptic in Go before 1↗2022-04-21

▶

OSV

CVE-2022-28327: The generic P-256 feature in crypto/elliptic in Go before 1↗2022-04-20

▶

CVEList

CVE-2022-28327: The generic P-256 feature in crypto/elliptic in Go before 1↗2022-04-20

▶

Oracle

Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (Golang Go) — CVE-2022-28327↗2023-04-15

▶

Microsoft

The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.↗2022-04-12

▶

Red Hat

golang: crypto/elliptic: panic caused by oversized scalar↗2022-04-12

▶