Skip to content

encoding/gob: stack exhaustion in Decoder.Decode (CVE-2024-34156) #69139

New issue
New issue
Closed
Closed
encoding/gob: stack exhaustion in Decoder.Decode (CVE-2024-34156)#69139
Labels
FixPendingIssues that have a fix which has not yet been reviewed or submitted.NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.24
@rolandshoemaker

Description

@rolandshoemaker
rolandshoemaker
opened on Aug 29, 2024

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

This is a follow-up to CVE-2022-30635.

Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue.

This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

This is a PRIVATE issue for CVE-2024-34156, tracked in http://b/362587965 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1440.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    FixPendingIssues that have a fix which has not yet been reviewed or submitted.NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions