CVE-2024-24787

Aliases:GO-2024-2825BIT-golang-2024-24787CGA-67wh-9fxr-2w4pGHSA-5fq7-4mxc-535h

Advisory lineage Upstream: 0 Downstream: 10

Downstream

OPENSUSE-SU-2024:13936-1 OPENSUSE-SU-2024:13941-1 SUSE-SU-2024:1573-1 SUSE-SU-2024:1574-1 SUSE-SU-2024:1587-1 SUSE-SU-2024:1588-1

Deferred

Published: 08 May 2024, 15:31

Last modified:13 Feb 2025, 17:40

Vulnerability Summary

Overall Risk (default)

medium

26/100

CVSS Score

6.4 MEDIUM

v3.1 (cve.org)

EPSS Score

3.2% LOW

3% probability +0.73%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

08 May 2024, 15:31

Published

Vulnerability first disclosed

13 Feb 2025, 17:40

Last Modified

Vulnerability information updated

Description

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

CVSS Metrics

v3.1•MEDIUM•Score: 6.4CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 3.20%• Percentile: 87%

Affected Systems

chainguard•newrelic-fluent-bit-output
< 2.0.0-r0
go toolchain•cmd/go
< 1.21.10 | ≥ 1.22.0-0, < 1.22.3
Go•toolchain
≥ 1.22.0-0, < 1.22.3