cbcvebase.
CVE-2023-29404
published 2023-06-08

CVE-2023-29404: The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.84%
76.3th percentile
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

Affected

23 ranges
VendorProductVersion rangeFixed in
debiangolang-1.15
debiangolang-1.19
fedoraprojectfedora
go_toolchaincmd_go< 1.19.101.19.10
go_toolchaincmd_go>= 1.20.0-0 < 1.20.51.20.5
golanggo< 1.19.101.19.10
golanggo>= 1.20.0 < 1.20.51.20.5
msrcazl3_gcc_13.2.0-7_on_azure_linux_3.0
msrcazl3_golang_1.22.7-1_on_azure_linux_3.0
msrcazl3_golang_1.22.7-2_on_azure_linux_3.0
msrcazl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0
msrcazl3_tensorflow_2.16.1-9_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_golang_1.17.13-2_on_cbl_mariner_2.0
msrccbl2_golang_1.18.8-7_on_cbl_mariner_2.0
msrccbl2_golang_1.20.7-1_on_cbl_mariner_2.0
msrccbl2_golang_1.21.6-1_on_cbl_mariner_2.0
msrccbl2_msft-golang_1.19.10-1_on_cbl_mariner_2.0
msrccbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0
msrccbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger vector: malicious module delivering a `#cgo LDFLAGS` directive with smuggled non-optional linker flags through LDFLAGS sanitization, exploitable via `go get` or any build command processing untrusted code
  • Audit/monitor `go get` invocations against untrusted or external modules, especially those containing `#cgo LDFLAGS` directives in their source files
  • Both `gc` and `gccgo` compiler toolchains are affected; detection/hardening should cover both compiler paths
  • Vulnerability is only exploitable when the GC or GCCGO compiler is invoked; pre-compiled Go binaries shipped by Red Hat are NOT affected — scope detection efforts to build-time environments
  • ·The LDFLAGS sanitization logic incorrectly treats non-optional flags as optional, meaning blocklist-based sanitization alone is insufficient to prevent flag smuggling — any detection or WAF-style filter on cgo LDFLAGS must account for this bypass class
  • ·Scope of affected environments is build-time only (cgo usage); runtime or binary-only deployments are not a vector

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.