CVE-2021-38561
Description
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in golang.org/x/text/language before 0.3.7 can cause a panic during BCP 47 tag parsing, enabling denial-of-service via untrusted input.
Vulnerability
The vulnerability resides in the golang.org/x/text/language package, which implements BCP 47 language tag parsing and matching [1]. Due to a mishandled index calculation during parsing, an attacker can trigger an out-of-bounds read, causing the program to panic [3]. This affects versions before 0.3.7.
Exploitation
The attack surface is any application that parses untrusted language tags, such as those from HTTP Accept-Language headers, cookies, or user-supplied input [1]. No authentication is required; the attacker only needs to send a crafted BCP 47 tag to a vulnerable endpoint. The parsing function does not properly validate index boundaries, leading to a panic when processing malformed input.
Impact
Successful exploitation results in a denial-of-service (DoS) condition: the application crashes due to the panic. This can be used to disrupt services that rely on language tag parsing, such as content negotiation or localization systems.
Mitigation
The issue is fixed in version 0.3.7 of golang.org/x/text [4]. Users should update to this version or later. No workaround is available; upgrading is the recommended action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/textGo | < 0.3.7 | 0.3.7 |
Affected products
21- golang.org/x/textdescription
- osv-coords20 versionspkg:apk/chainguard/dynamic-localpv-provisionerpkg:apk/chainguard/dynamic-localpv-provisioner-fipspkg:apk/chainguard/gitleakspkg:apk/chainguard/heypkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/chainguard/prometheus-postgres-exporter-0.10pkg:apk/chainguard/terraform-provider-sendgridpkg:apk/chainguard/terraform-provider-sendgrid-fipspkg:apk/chainguard/vt-clipkg:apk/wolfi/dynamic-localpv-provisionerpkg:apk/wolfi/gitleakspkg:apk/wolfi/heypkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:apk/wolfi/terraform-provider-sendgridpkg:apk/wolfi/vt-clipkg:golang/golang.org/x/text
< 3.4.1-r3+ 19 more
- (no CPE)range: < 3.4.1-r3
- (no CPE)range: < 3.5.0-r0
- (no CPE)range: < 8.18.2-r1
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.0.0-r3
- (no CPE)range: < 3.4.1-r3
- (no CPE)range: < 8.18.2-r1
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.0.0-r3
- (no CPE)range: < 0.3.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-ppp9-7jff-5vj2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-38561ghsaADVISORY
- deps.dev/advisory/OSV/GO-2021-0113ghsaWEB
- go.dev/cl/340830ghsaWEB
- go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56fghsaWEB
- groups.google.com/g/golang-announceghsaWEB
- pkg.go.dev/golang.org/x/text/languageghsaWEB
- pkg.go.dev/vuln/GO-2021-0113ghsaWEB
News mentions
0No linked articles in our index yet.