CVE-2022-24921
HIGH7.5EPSS 0.02%Stack exhaustion when compiling deeply nested expressions in regexp
Published: 5/23/2022Modified: 5/20/2024
Also known as:BIT-golang-2022-24921GO-2021-0347
Description
On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.
Affected packages (3)
- Bitnami/golangfrom 0, < 1.16.15, >= 1.17.0, < 1.17.8
- Debian/golang-1.15from 0, < 1.15.15-1~deb11u4
- Go/stdlibfrom 0, < 1.16.15, >= 1.17.0-0, < 1.17.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (12)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-24921
- PATCHhttps://go.dev/cl/384616
- PATCHhttps://go.googlesource.com/go/+/452f24ae94f38afa3704d4361d91d51218405c0a
- REPORThttps://go.dev/issue/51112
- WEBhttps://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
- WEBhttps://groups.google.com/g/golang-announce/c/RP1hfrBYVuk
- WEBhttps://lists.debian.org/debian-lts-announce/2022/04/msg00017.html
- WEBhttps://lists.debian.org/debian-lts-announce/2022/04/msg00018.html
- WEBhttps://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-24921
- WEBhttps://security.gentoo.org/glsa/202208-02
- WEBhttps://security.netapp.com/advisory/ntap-20220325-0010/