CVE-2021-38561

golang: out-of-bounds read in golang.org/x/text/language leads to DoS

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

golang.org/x/text/language en golang.org/x/text anterior a 0.3.7 puede entrar en pánico con una lectura fuera de los límites durante el análisis de etiquetas de idioma BCP 47. El cálculo del índice está mal manejado. Si se analizan entradas de usuarios que no son de confianza, esto se puede utilizar como vector para un ataque de Denegación de Servicio (DoS).

A flaw was found in golang. The language package for go language can panic due to an out-of-bounds read when an incorrectly formatted language tag is being parsed. This flaw allows an attacker to cause applications using this package to parse untrusted input data to crash, leading to a denial of service of the affected component.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2021-08-11 CVE Reserved
2022-07-27 CVE Published
2025-04-10 EPSS Updated
2025-04-14 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (6)

URL	Tag	Source
https://groups.google.com/g/golang-announce	Mailing List

URL	Date	SRC

URL	Date	SRC
https://deps.dev/advisory/OSV/GO-2021-0113	2023-01-05
https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f	2023-01-05

URL	Date	SRC
https://pkg.go.dev/golang.org/x/text/language	2023-01-05
https://access.redhat.com/security/cve/CVE-2021-38561	2023-08-02
https://bugzilla.redhat.com/show_bug.cgi?id=2100495	2023-08-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang Search vendor "Golang"		Text Search vendor "Golang" for product "Text"				< 0.3.7 Search vendor "Golang" for product "Text" and version " < 0.3.7"		-		Affected