CVE-2022-24675

golang: encoding/pem: fix stack overflow in Decode

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.

encoding/pem en Go versiones anteriores a 1.17.9 y versiones 1.8.x anteriores a 1.8.1 tiene un desbordamiento de pila Decode a través de una gran cantidad de datos PEM.

A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input (more than 5 MB), causing a stack overflow in Decode, which leads to a loss of availability.

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-08 CVE Reserved
2022-04-13 First Exploit
2022-04-20 CVE Published
2024-08-03 CVE Updated
2025-07-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-674: Uncontrolled Recursion

CAPEC

References (14)

URL	Tag	Source
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
https://security.netapp.com/advisory/ntap-20220915-0010	Third Party Advisory

URL	Date	SRC
https://github.com/jfrog/jfrog-CVE-2022-24675	2022-04-13

URL	Date	SRC

URL	Date	SRC
https://groups.google.com/g/golang-announce	2023-11-07
https://groups.google.com/g/golang-announce/c/oecdBNLOml8	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TYZC4OAY54TO75FBEFAPV5G7O4D5TM	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3BMW5QGX53CMIJIZWKXFKBJX2C5GWTY	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RCRSABD6CUDIZULZPZL5BJ3ET3A2NEJP	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR	2023-11-07
https://security.gentoo.org/glsa/202208-02	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-24675	2023-07-06
https://bugzilla.redhat.com/show_bug.cgi?id=2077688	2023-07-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				< 1.17.9 Search vendor "Golang" for product "Go" and version " < 1.17.9"		-		Affected
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				>= 1.18.0 < 1.18.1 Search vendor "Golang" for product "Go" and version " >= 1.18.0 < 1.18.1"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Netapp Search vendor "Netapp"		Kubernetes Monitoring Operator Search vendor "Netapp" for product "Kubernetes Monitoring Operator"				-		-		Affected