CVE-2022-30634 — Infinite Loop in Standard Library Crypto Rand

CWE-835 — Infinite Loop6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 76.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Crypto Rand Golang GO

Timeline

PublishedJul 15

Latest updateJul 16

Description

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5go_standard_library/crypto_rand1.18.0-0 — 1.18.3+1

▶NVDgolang/go1.18.0 — 1.18.3+1

Patches

Patch: go.dev ↗Patch: go.googlesource.com ↗Patch: go.dev ↗

🔴Vulnerability Details

GHSA

GHSA-vfh9-chgv-wfph: Infinite loop in Read in crypto/rand before Go 1↗2022-07-16

▶

OSV

CVE-2022-30634: Infinite loop in Read in crypto/rand before Go 1↗2022-07-15

▶

CVEList

Indefinite hang with large buffers on Windows in crypto/rand↗2022-07-15

▶

OSV

Indefinite hang with large buffers on Windows in crypto/rand↗2022-06-09

▶

📋Vendor Advisories

Debian

CVE-2022-30634: golang-1.15 - Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows ...↗2022

▶