CVE-2024-34158 — Uncontrolled Recursion in Standard Library GO Build Constraint

CWE-674 — Uncontrolled Recursion CWE-1325 — Improperly Controlled Sequential Memory Allocation15 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 62.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library GO Build Constraint Debian Golang-1.15 Debian Golang-1.19 +11 more

Timeline

PublishedSep 6

Latest updateNov 14

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages14 packages

▶CVEListV5go_standard_library/go_build_constraint1.23.0-0 — 1.23.1+1

▶debiandebian/golang-1.15

▶debiandebian/golang-1.19

▶msrcmsrc/azl3_gcc_13.2.0-7_on_azure_linux_3.0

▶msrcmsrc/cbl2_gcc_11.2.0-8_on_cbl_mariner_2.0

🔴Vulnerability Details

OSV

golang-1.17 vulnerabilities↗2024-11-14

▶

OSV

golang-1.18 vulnerabilities↗2024-11-14

▶

OSV

golang-1.22 vulnerabilities↗2024-10-23

▶

OSV

Stack exhaustion in Parse in go/build/constraint↗2024-09-06

▶

GHSA

GHSA-j7vj-rw65-4v26: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion↗2024-09-06

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2024-11-14

▶

Ubuntu

Go vulnerabilities↗2024-11-14

▶

Ubuntu

Go vulnerabilities↗2024-10-23

▶

Microsoft

Stack exhaustion in Parse in go/build/constraint↗2024-09-10

▶

Red Hat

go/build/constraint: golang: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion↗2024-09-06

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33466 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-68383 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶