CVE-2024-34156

Sept. 9, 2024, 3:35 p.m.

7.5
High

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Product(s) Impacted

Product Versions
Go programming language
  • []

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://go.dev/cl/611239
https://go.dev/issue/69139
https://groups.google.com/g/golang-dev/c/S9POB9NCTdk
https://pkg.go.dev/vuln/GO-2024-3106

Tags

security@golang.org
2024-09-06
CVE-2024-34156

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Sept. 6, 2024, 9:15 p.m.
Last Modified: Sept. 9, 2024, 3:35 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@golang.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.