CVE-2021-41771
golang: debug/macho: invalid dynamic symbol table command can cause panic
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
ImportedSymbols en debug/macho (para Open u OpenFat) en Go versiones anteriores a 1.16.10 y 1.17.x versiones anteriores a 1.17.3, Accede a una Ubicación de Memoria Después del Final de un Búfer, también se conoce como una situación de "out-of-bounds slice"
An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service.
An update that solves two vulnerabilities and has one errata is now available. This update for go1.16 fixes the following issues. Security update go1.16.10. Fixed invalid dynamic symbol table command that could have caused panic. Fixed panic on .Open. This update was imported from the SUSE:SLE-15:Update update project.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-09-28 CVE Reserved
- 2021-11-08 CVE Published
- 2024-08-04 CVE Updated
- 2025-06-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf |
|
|
| https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20211210-0003 | Third Party Advisory |
|
| https://www.oracle.com/security-alerts/cpujul2022.html | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.16.10 Search vendor "Golang" for product "Go" and version " < 1.16.10" | - |
Affected
| ||||||
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.17.0 < 1.17.3 Search vendor "Golang" for product "Go" and version " >= 1.17.0 < 1.17.3" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||