Moderate severityNVD Advisory· Published Feb 9, 2023· Updated Mar 10, 2025
Denial of service when feeding malformed size arguments in go-bitfield
CVE-2023-23626
Description
go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions, an attacker can trigger panics. This happen when the size is a not a multiple of 8 or is negative. There were already a note in the NewBitfield documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that size is a multiple of 8 before calling NewBitfield or FromBytes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ipfs/go-bitfieldGo | < 1.1.0 | 1.1.0 |
Affected products
2- ipfs/go-bitfieldv5Range: < 1.1.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-2h6c-j3gf-xp9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-23626ghsaADVISORY
- github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579ghsax_refsource_MISCWEB
- github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9rghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2023-1558ghsaWEB
News mentions
0No linked articles in our index yet.