CVE-2020-7919
Description
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A malformed X.509 certificate can cause a panic in Go clients via crypto/tls, affecting Go before 1.12.16 and 1.13.7.
Vulnerability
Overview
CVE-2020-7919 is a denial-of-service vulnerability in Go's crypto/x509 certificate parsing and the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte. On 32-bit architectures, a malformed input can lead to a panic [3]. The root cause is improper handling of crafted certificate data in the ASN.1 parsing routines.
Exploitation
Vector
A malformed X.509 certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates [3]. For example, net/http clients can be made to crash by an HTTPS server. However, net/http servers that accept client certificates recover from the panic and are unaffected [3]. The vulnerability is triggered when the client processes a crafted certificate during the TLS handshake.
Impact
An attacker who can serve a malformed certificate to a Go-based TLS client (or to a server that accepts client certificates) can cause the target application to panic and crash, resulting in a denial of service [3]. This is a high-severity issue (CVSS 7.5) because it requires no special privileges and can be triggered remotely. The vulnerability does not enable code execution or privilege escalation.
Mitigation
The issue is fixed in Go 1.12.16 and Go 1.13.7, as well as in the cryptobyte package version v0.0.0-20200124225646-8b5121be2f68 [3][4]. Users should upgrade to these versions or later. The fix is also included in Go 1.14rc1 [3]. There is no workaround other than updating, as the vulnerability affects the TLS stack itself.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/helm/helmGo | >= 2.0.0, < 2.16.8 | 2.16.8 |
helm.sh/helm/v3Go | >= 3.0.0, < 3.1.0 | 3.1.0 |
golang.org/x/cryptoGo | < 0.0.0-20200124225646-8b5121be2f68 | 0.0.0-20200124225646-8b5121be2f68 |
Affected products
11- Go/Godescription
- osv-coords10 versionspkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:bitnami/golangpkg:golang/github.com/helm/helmpkg:golang/golang.org/x/cryptopkg:golang/helm.sh/helm/v3
< 5.6.0-r11+ 9 more
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: >= 1.12.0, < 1.12.6
- (no CPE)range: >= 2.0.0, < 2.16.8
- (no CPE)range: < 0.0.0-20200124225646-8b5121be2f68
- (no CPE)range: >= 3.0.0, < 3.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
21- github.com/advisories/GHSA-cjjc-xp8v-855wghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S43VLYRURELDWX4D5RFOYBNFGO6CGBBC/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-7919ghsaADVISORY
- www.debian.org/security/2021/dsa-4848ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/helm/helm/security/advisories/GHSA-cjjc-xp8v-855wghsaWEB
- go.dev/cl/216677ghsaWEB
- go.dev/cl/216680ghsaWEB
- go.dev/issue/36837ghsaWEB
- go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574ghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/mitrex_refsource_MISC
- groups.google.com/forum/mitrex_refsource_MISC
- groups.google.com/forum/mitrex_refsource_CONFIRM
- groups.google.com/g/golang-announce/c/Hsw4mHYc470ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S43VLYRURELDWX4D5RFOYBNFGO6CGBBCghsaWEB
- pkg.go.dev/vuln/GO-2022-0229ghsaWEB
- security.netapp.com/advisory/ntap-20200327-0001ghsaWEB
- security.netapp.com/advisory/ntap-20200327-0001/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.