CVE-2019-11840
Description
An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An integer overflow in the amd64 assembly of Go's Salsa20 library causes keystream reuse after 256 GiB, leading to confidentiality loss.
An integer overflow flaw was discovered in the amd64 assembly implementation of the Salsa20 and Salsa20/Salsa packages in the supplementary Go cryptography library, golang.org/x/crypto. The vulnerability, present in versions prior to commit b7391e95, causes the 32-bit counter used in keystream generation to wrap around. When more than 256 GiB of keystream is produced for a single key/nonce pair, or if the counter exceeds 32 bits through other means, the implementation first generates incorrect output and then cycles back to previously generated keystream bytes[1][2][3]. The root cause is a flaw in the amd64 assembly loops inherited from the SUPERCOP and NaCl distributions, where support for counters larger than 32 bits was an incomplete experiment[1][4]. Architectures other than amd64 are unaffected[1][4].
An attacker does not need to be authenticated or have special network access to exploit this condition; the vulnerability is triggered automatically when an application using the affected library processes very large messages or generates a large amount of keystream in a single salsa20.XORKeyStream invocation. The prerequisite is that the application must be built with the vulnerable amd64 assembly code and must produce or process more than 256 GiB of data under a single key/nonce combination. In practice, this can affect high-throughput encryption or CSPRNG usage patterns, as well as extremely large message encrypting applications[1][4].
The impact of this flaw is a loss of confidentiality. Because the keystream repeats, an attacker who can observe multiple ciphertexts generated with the same repeating keystream can recover the plaintext or perform other cryptanalytic attacks. In CSPRNG applications, the predictability undermines the security properties expected of a random number generator[1][3]. The issue was assigned a CVSS v3 score of 5.9 (Medium), reflecting the constrained exploitation scenario but serious consequences[1].
The fix was committed on 2019-03-19 and released in commit b7391e95e, which patches the amd64 assembly to correctly handle counter values larger than 32 bits[2][4]. Users of golang.org/x/crypto are advised to update to the latest version that includes this commit. Downstream projects such as Fedora packages (gomtree, source-to-image) and Red Hat products were also tracked for patching[3]. The upstream maintainers note that the same bug exists in SUPERCOP and NaCl, but those libraries do not consider it a problem due to their policy of not supporting counters larger than 32 bits[4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/cryptoGo | < 0.0.0-20190320223903-b7391e95e576 | 0.0.0-20190320223903-b7391e95e576 |
Affected products
8- golang.org/x/cryptodescription
- osv-coords7 versionspkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:golang/golang.org/x/crypto
< 5.6.0-r11+ 6 more
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0.0.0-20190320223903-b7391e95e576
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113dnvdMailing ListPatchThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-r5c5-pr8j-pfp7ghsaADVISORY
- github.com/golang/go/issues/30965nvdThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2019/06/msg00029.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2020/10/msg00014.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2020/11/msg00016.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2020/11/msg00030.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2021/01/msg00015.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2023/06/msg00017.htmlnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2019-11840ghsaADVISORY
- pkg.go.dev/vuln/GO-2022-0209nvdThird Party AdvisoryWEB
- go.dev/cl/168406ghsaWEB
- go.dev/issue/30965ghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/nvdPermissions Required
- groups.google.com/g/golang-announce/c/tjyNcJxb2vQ/m/n0NRBziSCAAJghsaWEB
News mentions
0No linked articles in our index yet.