CVE-2022-41715

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
golanggo
𝑥
< 1.18.7
golanggo
1.19.0 ≤
𝑥
< 1.19.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
buster
postponed
golang-1.19
bookworm
1.19.8-2
fixed
bullseye
no-dsa
buster
postponed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-1.10
bionic
needs-triage
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
needs-triage
xenial
needs-triage
golang-1.13
bionic
needed
focal
needed
jammy
needed
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needed
golang-1.14
bionic
dne
focal
needed
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.16
bionic
needed
focal
needed
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.17
bionic
dne
focal
dne
jammy
not-affected
trusty
ignored
xenial
ignored
golang-1.18
bionic
Fixed 1.18.1-1ubuntu1~18.04.4
released
focal
Fixed 1.18.1-1ubuntu1~20.04.2
released
jammy
Fixed 1.18.1-1ubuntu1.1
released
lunar
dne
noble
dne
trusty
ignored
xenial
not-affected
golang-1.19
bionic
dne
focal
dne
jammy
dne
kinetic
not-affected
lunar
not-affected
noble
dne
trusty
ignored
xenial
ignored
golang-1.6
bionic
dne
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
ignored
xenial
needed
golang-1.8
bionic
needed
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.9
bionic
needed
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
bind
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
bind-chrootenv
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
bind-devel
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
bind-doc
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
bind-utils
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libbind9-1600
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libdns1605
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libirs-devel
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libirs1601
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libisc1606
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libisccc1600
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libisccfg1600
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libns1604
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
python3-bind
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
git-lfs
RHEL 9
0:3.2.0-1.el9
fixed
golang
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-bin
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-docs
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-github-cpuguy83-md2man
RHEL 9
0:2.0.2-4.el9
fixed
golang-misc
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-race
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-src
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-tests
RHEL 9
0:1.18.9-1.el9_1
fixed
grafana
RHEL 9
0:9.0.9-2.el9
fixed
osbuild-composer
RHEL 8
0:75-1.el8
fixed
RHEL 9
0:76-2.el9_2
fixed
osbuild-composer-core
RHEL 8
0:75-1.el8
fixed
RHEL 9
0:76-2.el9_2
fixed
osbuild-composer-dnf-json
RHEL 8
0:75-1.el8
fixed
RHEL 9
0:76-2.el9_2
fixed
osbuild-composer-worker
RHEL 8
0:75-1.el8
fixed
RHEL 9
0:76-2.el9_2
fixed
weldr-client
RHEL 8
0:35.9-2.el8
fixed
RHEL 9
0:35.9-1.el9
fixed
References
https://go.dev/cl/439356
https://go.dev/issue/55949
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
https://pkg.go.dev/vuln/GO-2022-1039
https://security.gentoo.org/glsa/202311-09
https://go.dev/cl/439356
https://go.dev/issue/55949
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
https://pkg.go.dev/vuln/GO-2022-1039
https://security.gentoo.org/glsa/202311-09