Go
by Golang
Source repositories
CVEs (83)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46599 | Hig | 0.42 | 7.5 | 0.00 | May 29, 2026 | The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data. | ||
| CVE-2026-46597 | Hig | 0.42 | 7.5 | 0.00 | May 22, 2026 | An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. | ||
| CVE-2026-39829 | Hig | 0.42 | 7.5 | 0.00 | May 22, 2026 | The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated… | ||
| CVE-2026-42501 | Hig | 0.42 | 7.5 | 0.00 | May 7, 2026 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can… | ||
| CVE-2026-42499 | Hig | 0.42 | 7.5 | 0.01 | May 7, 2026 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | ||
| CVE-2026-39836 | Hig | 0.42 | 7.5 | 0.01 | May 7, 2026 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | ||
| CVE-2026-39820 | Hig | 0.42 | 7.5 | 0.00 | May 7, 2026 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. | ||
| CVE-2026-33814 | Hig | 0.42 | 7.5 | 0.01 | May 7, 2026 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. | ||
| CVE-2026-33811 | Hig | 0.42 | 7.5 | 0.01 | May 7, 2026 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. | ||
| CVE-2026-32283 | Hig | 0.42 | 7.5 | 0.00 | Apr 8, 2026 | If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. | ||
| CVE-2026-32281 | Hig | 0.42 | 7.5 | 0.00 | Apr 8, 2026 | Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root… | ||
| CVE-2026-32280 | Hig | 0.42 | 7.5 | 0.00 | Apr 8, 2026 | During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of… | ||
| CVE-2026-27137 | Hig | 0.42 | 7.5 | 0.00 | Mar 6, 2026 | When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered. | ||
| CVE-2026-25679 | Hig | 0.42 | 7.5 | 0.01 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | ||
| CVE-2025-22867 | Hig | 0.42 | 7.5 | 0.01 | Feb 6, 2025 | On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2. | ||
| CVE-2025-22865 | Hig | 0.42 | 7.5 | 0.01 | Jan 28, 2025 | Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed. | ||
| CVE-2024-34158 | Hig | 0.42 | 7.5 | 0.01 | Sep 6, 2024 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | ||
| CVE-2024-34156 | Hig | 0.42 | 7.5 | 0.01 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | ||
| CVE-2024-24784 | Hig | 0.42 | 7.5 | 0.01 | Mar 5, 2024 | The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. | ||
| CVE-2017-1000098 | Hig | 0.42 | 7.5 | 0.02 | Oct 5, 2017 | The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. |
- risk 0.42cvss 7.5epss 0.00
The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.
- risk 0.42cvss 7.5epss 0.00
An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
- risk 0.42cvss 7.5epss 0.00
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated…
- risk 0.42cvss 7.5epss 0.00
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can…
- risk 0.42cvss 7.5epss 0.01
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
- risk 0.42cvss 7.5epss 0.01
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
- risk 0.42cvss 7.5epss 0.00
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
- risk 0.42cvss 7.5epss 0.01
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
- risk 0.42cvss 7.5epss 0.01
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
- risk 0.42cvss 7.5epss 0.00
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
- risk 0.42cvss 7.5epss 0.00
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root…
- risk 0.42cvss 7.5epss 0.00
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of…
- risk 0.42cvss 7.5epss 0.00
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
- risk 0.42cvss 7.5epss 0.01
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- risk 0.42cvss 7.5epss 0.01
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
- risk 0.42cvss 7.5epss 0.01
Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.
- risk 0.42cvss 7.5epss 0.01
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
- risk 0.42cvss 7.5epss 0.01
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- risk 0.42cvss 7.5epss 0.01
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
- risk 0.42cvss 7.5epss 0.02
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
Page 2 of 5