cbcvebase.
CVE-2023-29405
published 2023-06-08

CVE-2023-29405: The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.73%
74.7th percentile
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

Affected

20 ranges
VendorProductVersion rangeFixed in
debiangolang-1.15
debiangolang-1.19
fedoraprojectfedora
go_toolchaincmd_cgo< 1.19.101.19.10
go_toolchaincmd_cgo>= 1.20.0-0 < 1.20.51.20.5
go_toolchaincmd_go< 1.19.101.19.10
go_toolchaincmd_go>= 1.20.0-0 < 1.20.51.20.5
golanggo< 1.19.101.19.10
golanggo>= 1.20.0 < 1.20.51.20.5
msrcazl3_golang_1.20.7-1_on_azure_linux_3.0
msrcazl3_golang_1.24.3-1_on_azure_linux_3.0
msrcazl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0
msrcazl3_tensorflow_2.16.1-9_on_azure_linux_3.0
msrccbl2_golang_1.17.13-2_on_cbl_mariner_2.0
msrccbl2_golang_1.18.8-7_on_cbl_mariner_2.0
msrccbl2_golang_1.20.7-1_on_cbl_mariner_2.0
msrccbl2_golang_1.21.6-1_on_cbl_mariner_2.0
msrccbl2_msft-golang_1.20.7-1_on_cbl_mariner_2.0
msrccbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0
msrccbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger vector: malicious module processed via 'go get' or any build command using cgo with the gccgo compiler, where '#cgo LDFLAGS' directives contain flags with embedded spaces to smuggle disallowed flags past sanitization
  • Scope is limited exclusively to the gccgo compiler; standard Go toolchain (pre-compiled golang binaries) is NOT affected — focus detection on build environments using gccgo
  • Red Hat confirms: only customer use of the GCCGO compiler is affected, not pre-compiled golang binaries — triage build pipelines for gccgo usage
  • Arbitrary code execution occurs at build time (not runtime) — monitor CI/CD and build system logs for unexpected process spawning during 'go get' or cgo build steps with gccgo
  • ·Vulnerability is exclusively triggered when using the gccgo compiler; the standard Go compiler toolchain is not affected
  • ·The smuggling technique relies on flags with embedded spaces inside a '#cgo LDFLAGS' directive — LDFLAGS sanitization logic does not correctly handle space-embedded arguments

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.