CVE-2018-17846
Description
The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Go x/net/html package before commit d26f9f9 (2018-09-25) suffers from an infinite loop vulnerability when parsing crafted HTML, leading to denial of service.
Vulnerability
The x/net/html package in Go, specifically the html.Parse function, mishandles a specific sequence of HTML elements (`). This causes an infinite loop because the state machine functions inSelectIM and inSelectInTableIM do not comply with the HTML specification. Affected versions include all releases of golang.org/x/net/html` up to commit 4b62a64f59f7 (September 25, 2018). [1][2]
Exploitation
An attacker can trigger the infinite loop by providing a crafted HTML document to any application that uses the html.Parse function. No authentication or special privileges are required; the attacker only needs the ability to supply input to the parser, such as by submitting a malicious web page to a parsing service or uploading a file containing the crafted HTML.
Impact
Successful exploitation results in a denial of service (DoS) condition, as the parser enters an infinite loop, consuming CPU resources indefinitely. This can cause the application or service to become unresponsive, affecting availability. No information disclosure, file modification, or remote code execution is involved.
Mitigation
The vulnerability is fixed in commit d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf of the golang.org/x/net repository, which was merged on January 25, 2019. Users should update their golang.org/x/net dependency to a version that includes this commit. The Go vulnerability database lists this as GO-2020-0014. [2][3] For Fedora distributions, the fix is included in updated packages; however, the specific versions are not detailed in the available references.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/netGo | < 0.0.0-20190125091013-d26f9f9a57f3 | 0.0.0-20190125091013-d26f9f9a57f3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-vfw5-hrgq-h5wfghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-17846ghsaADVISORY
- github.com/golang/go/issues/27842ghsax_refsource_MISCWEB
- go-review.googlesource.com/c/137275ghsaWEB
- go.dev/issue/27842ghsaWEB
- go.googlesource.com/net/+/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbfghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHONghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBKghsaWEB
- pkg.go.dev/vuln/GO-2020-0014ghsaWEB
News mentions
0No linked articles in our index yet.