Medium severity6.5GHSA Advisory· Published Oct 1, 2024· Updated Apr 15, 2026
CVE-2024-9355
CVE-2024-9355
Description
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/golang-fips/opensslGo | <= 2.0.3 | — |
Affected products
30- Range: <= 2.0.3
- ghsa-coords29 versionspkg:golang/github.com/golang-fips/opensslpkg:rpm/almalinux/delvepkg:rpm/almalinux/git-lfspkg:rpm/almalinux/golangpkg:rpm/almalinux/golang-binpkg:rpm/almalinux/golang-docspkg:rpm/almalinux/golang-miscpkg:rpm/almalinux/golang-srcpkg:rpm/almalinux/golang-testspkg:rpm/almalinux/go-toolsetpkg:rpm/almalinux/grafanapkg:rpm/almalinux/grafana-pcppkg:rpm/almalinux/grafana-selinuxpkg:rpm/almalinux/osbuildpkg:rpm/almalinux/osbuild-composerpkg:rpm/almalinux/osbuild-composer-corepkg:rpm/almalinux/osbuild-composer-workerpkg:rpm/almalinux/osbuild-depsolve-dnfpkg:rpm/almalinux/osbuild-luks2pkg:rpm/almalinux/osbuild-lvm2pkg:rpm/almalinux/osbuild-ostreepkg:rpm/almalinux/osbuild-selinuxpkg:rpm/almalinux/python3-osbuildpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Package%20Hub%2012
<= 2.0.3+ 28 more
- (no CPE)range: <= 2.0.3
- (no CPE)range: < 1.21.2-4.module_el8.10.0+3895+92d465e0
- (no CPE)range: < 3.6.1-1.el9
- (no CPE)range: < 1.21.13-3.module_el8.10.0+3900+bb1e1982
- (no CPE)range: < 1.21.13-3.module_el8.10.0+3900+bb1e1982
- (no CPE)range: < 1.21.13-3.module_el8.10.0+3900+bb1e1982
- (no CPE)range: < 1.21.13-3.module_el8.10.0+3900+bb1e1982
- (no CPE)range: < 1.21.13-3.module_el8.10.0+3900+bb1e1982
- (no CPE)range: < 1.21.13-3.module_el8.10.0+3900+bb1e1982
- (no CPE)range: < 1.21.13-1.module_el8.10.0+3895+92d465e0
- (no CPE)range: < 9.2.10-20.el8_10
- (no CPE)range: < 5.1.1-9.el8_10
- (no CPE)range: < 9.2.10-20.el8_10
- (no CPE)range: < 141-1.el9.alma.1
- (no CPE)range: < 132-1.el9.alma.1
- (no CPE)range: < 132-1.el9.alma.1
- (no CPE)range: < 132-1.el9.alma.1
- (no CPE)range: < 141-1.el9.alma.1
- (no CPE)range: < 141-1.el9.alma.1
- (no CPE)range: < 141-1.el9.alma.1
- (no CPE)range: < 141-1.el9.alma.1
- (no CPE)range: < 141-1.el9.alma.1
- (no CPE)range: < 141-1.el9.alma.1
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241030T212825-1.1
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241104T154416-5.1
Patches
Vulnerability mechanics
References
18- github.com/advisories/GHSA-3h3x-2hwv-hr52ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-9355ghsaADVISORY
- access.redhat.com/errata/RHSA-2024:10133nvdWEB
- access.redhat.com/errata/RHSA-2024:7502nvdWEB
- access.redhat.com/errata/RHSA-2024:7550nvdWEB
- access.redhat.com/errata/RHSA-2024:8327nvdWEB
- access.redhat.com/errata/RHSA-2024:8678nvdWEB
- access.redhat.com/errata/RHSA-2024:8847nvdWEB
- access.redhat.com/errata/RHSA-2024:9551nvdWEB
- access.redhat.com/errata/RHSA-2025:2416nvdWEB
- access.redhat.com/errata/RHSA-2025:7118nvdWEB
- access.redhat.com/errata/RHSA-2025:7256nvdWEB
- access.redhat.com/errata/RHSA-2025:7624nvdWEB
- access.redhat.com/security/cve/CVE-2024-9355nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/github/advisory-database/pull/4950ghsaWEB
- github.com/golang-fips/openssl/pull/198nvdWEB
- pkg.go.dev/vuln/GO-2024-3167ghsaWEB
News mentions
0No linked articles in our index yet.