CVE-2022-41724 : Large handshake records may cause panics in crypto/tls. Both clients and servers

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

Published 2023-02-28 18:15:10

Updated 2023-11-25 11:15:10

Source Go Project

View at NVD, CVE.org

Products affected by CVE-2022-41724

Golang » GO
Versions before (<) 1.19.6
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Matching versions
Golang » GO » Version: 1.20.0
cpe:2.3:a:golang:go:1.20.0:-:*:*:*:*:*:*
Matching versions
Golang » GO » Version: 1.20.0 Update RC3
cpe:2.3:a:golang:go:1.20.0:rc3:*:*:*:*:*:*
Matching versions
Golang » GO » Version: 1.20.0 Update RC2
cpe:2.3:a:golang:go:1.20.0:rc2:*:*:*:*:*:*
Matching versions
Golang » GO » Version: 1.20.0 Update RC1
cpe:2.3:a:golang:go:1.20.0:rc1:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-41724

EPSS FAQ

0.02%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 2 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-41724

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-41724

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.
Assigned by:
- nvd@nist.gov (Primary)
- security@golang.org (Secondary)

References for CVE-2022-41724

https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E

[security] Go 1.20.1 and Go 1.19.6 are released
Mailing List;Vendor Advisory

CVEs referencing this url
https://go.dev/cl/468125

crypto/tls: replace all usages of BytesOrPanic (468125) · Gerrit Code Review
Patch;Release Notes
https://pkg.go.dev/vuln/GO-2023-1570

GO-2023-1570 - Go Packages
Vendor Advisory
https://go.dev/issue/58001

crypto/tls: large handshake records may cause panics (CVE-2022-41724) · Issue #58001 · golang/go · GitHub
Issue Tracking;Patch;Vendor Advisory
https://security.gentoo.org/glsa/202311-09

Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-41724

Products affected by CVE-2022-41724

Exploit prediction scoring system (EPSS) score for CVE-2022-41724

CVSS scores for CVE-2022-41724

CWE ids for CVE-2022-41724

References for CVE-2022-41724