CVE-2022-41715

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GoCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
VendorProductVersion
golanggo
𝑥
< 1.18.7
golanggo
1.19.0 ≤
𝑥
< 1.19.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
buster
postponed
golang-1.19
bookworm
1.19.8-2
fixed
bullseye
no-dsa
buster
postponed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-1.10
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
dne
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
golang-1.13
noble
dne
mantic
dne
lunar
dne
jammy
needed
focal
needed
bionic
needed
xenial
needed
trusty
dne
golang-1.14
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
needed
bionic
dne
xenial
dne
trusty
dne
golang-1.16
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
needed
bionic
needed
xenial
dne
trusty
dne
golang-1.17
jammy
not-affected
focal
dne
bionic
dne
xenial
ignored
trusty
ignored
golang-1.18
noble
dne
lunar
dne
jammy
Fixed 1.18.1-1ubuntu1.1
released
focal
Fixed 1.18.1-1ubuntu1~20.04.2
released
bionic
Fixed 1.18.1-1ubuntu1~18.04.4
released
xenial
not-affected
trusty
ignored
golang-1.19
noble
dne
lunar
not-affected
kinetic
not-affected
jammy
dne
focal
dne
bionic
dne
xenial
ignored
trusty
ignored
golang-1.6
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
dne
bionic
dne
xenial
needed
trusty
ignored
golang-1.8
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
dne
bionic
needed
xenial
dne
trusty
dne
golang-1.9
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
dne
bionic
needed
xenial
dne
trusty
dne
References
https://go.dev/cl/439356
https://go.dev/issue/55949
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
https://pkg.go.dev/vuln/GO-2022-1039
https://security.gentoo.org/glsa/202311-09
https://go.dev/cl/439356
https://go.dev/issue/55949
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
https://pkg.go.dev/vuln/GO-2022-1039
https://security.gentoo.org/glsa/202311-09