CVE-2022-32189 — Uncontrolled Resource Consumption in Standard Library Math BIG

CWE-400 — Uncontrolled Resource Consumption11 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 70.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Math BIG Golang GO

Timeline

PublishedAug 10

Latest updateJan 9

Description

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5go_standard_library/math_big1.18.0-0 — 1.18.5+1

▶NVDgolang/go1.18.0 — 1.18.5+1

Patches

Patch: go.dev ↗Patch: go.googlesource.com ↗Patch: go.dev ↗

🔴Vulnerability Details

OSV

golang-1.18 vulnerabilities↗2023-04-25

▶

GHSA

GHSA-3rm2-w8f7-h7rf: A too-short encoded message can cause a panic in Float↗2022-08-11

▶

OSV

CVE-2022-32189: A too-short encoded message can cause a panic in Float↗2022-08-10

▶

CVEList

Panic when decoding Float and Rat types in math/big↗2022-08-09

▶

OSV

Panic when decoding Float and Rat types in math/big↗2022-08-01

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2024-01-09

▶

Ubuntu

Go vulnerabilities↗2023-04-25

▶

Microsoft

Panic when decoding Float and Rat types in math/big↗2022-08-09

▶

Red Hat

golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service↗2022-08-01

▶

Debian

CVE-2022-32189: golang-1.15 - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDeco...↗2022

▶