// For flags

CVE-2024-24788

Malformed DNS message can cause infinite loop in net

Severity Score

5.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

Un mensaje DNS con formato incorrecto en respuesta a una consulta puede hacer que las funciones de búsqueda se atasquen en un bucle infinito.

A flaw was found in the net package of the Go stdlib. When a malformed DNS message is received as a response to a query, the Lookup functions within the net package can get stuck in an infinite loop. This issue can lead to resource exhaustion and denial of service (DoS) conditions.

*Credits: @long-name-let-people-remember-you, Mateusz Poliwczak
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-01-30 CVE Reserved
  • 2024-05-08 CVE Published
  • 2024-06-11 EPSS Updated
  • 2024-11-21 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Go Standard Library
Search vendor "Go Standard Library"
Net
Search vendor "Go Standard Library" for product "Net"
>= 1.22.0-0 < 1.22.3
Search vendor "Go Standard Library" for product "Net" and version " >= 1.22.0-0 < 1.22.3"
en
Affected