CVE-2024-34158

Aliases:GO-2024-3107BIT-golang-2024-34158

Advisory lineage Upstream: 0 Downstream: 39

Downstream

DEBIAN-CVE-2024-34158 MGASA-2024-0376 OPENSUSE-SU-2024:14323-1 OPENSUSE-SU-2024:14324-1 OPENSUSE-SU-2025:0056-1 RHSA-2024:6908

Deferred

Published: 06 Sept 2024, 20:42

Last modified:04 Oct 2024, 15:02

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.16% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

06 Sept 2024, 20:42

Published

Vulnerability first disclosed

04 Oct 2024, 15:02

Last Modified

Vulnerability information updated

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.16%• Percentile: 37%

Techniques & Countermeasures

CWE-674•Uncontrolled Recursion
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Systems

go standard library•go/build/constraint
< 1.22.7 | ≥ 1.23.0-0, < 1.23.1
Go•stdlib
≥ 1.23.0-0, < 1.23.1