CVE-2022-24675: Buffer Overflow

Published Apr 20, 2022
·
Updated

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.

Other sources

encoding/pem: fix stack overflow in Decode

A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.

Thanks to Juho Nurminen of Mattermost who reported the error.

This is CVE-2022-24675 and https://go.dev/issue/51853.

Red Hat

Golang Go is vulnerable to a denial of service, caused by a stack-based buffer overflow in encoding/pem in the Decode feature. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the program to crash.

IBM

Affected Software

10 affected componentsFixes available
IBM Cloud Pak for Security<=1.10.0.0 - 1.10.11.0
IBM QRadar Suite Software<=1.10.12.0 - 1.10.16.0
Golang Go<1.17.9
Golang Go>=1.18.0<1.18.1
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Fedoraproject Fedora=36
NetApp Kubernetes Monitoring Operator
redhat/go<1.17.9
1.17.9
redhat/go<1.18.1
1.18.1

Event History

Apr 20, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Apr 21, 2022
Data Sourced
via Red Hat·10:28 PM
DescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2022-24675?

CVE-2022-24675 is a vulnerability in encoding/pem in Go before version 1.17.9 and 1.18.x before 1.18.1, which can lead to a stack overflow when decoding a large amount of PEM data.

2

How severe is CVE-2022-24675?

CVE-2022-24675 has a severity rating of 7.5 (high).

3

Which software versions are affected by CVE-2022-24675?

Encoding/pem in Go versions before 1.17.9 and 1.18.x before 1.18.1 are affected by CVE-2022-24675.

4

How can I fix CVE-2022-24675?

To fix CVE-2022-24675, update your Go installation to version 1.17.9 or 1.18.1.

5

Where can I find more information about CVE-2022-24675?

You can find more information about CVE-2022-24675 at the following references: [Link 1](https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf), [Link 2](https://groups.google.com/g/golang-announce), [Link 3](https://groups.google.com/g/golang-announce/c/oecdBNLOml8).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203