CVE-2019-17596

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

Published: Oct 24, 2019
Updated: Nov 9, 2025
CVE: CVE-2019-17596
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-436

Affected Software
References

Software	From	Fixed in
golang / go	1.13	1.13.2
golang / go	1.12	1.12.11
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
redhat / enterprise_linux	8.0	8.0.x
redhat / developer_tools	1.0	1.0.x
redhat / enterprise_linux_server	8.1	8.1.x
opensuse / leap	15.0	15.0.x
opensuse / leap	15.1	15.1.x
arista / mos	-	0.25.x
arista / eos	-	4.23.1f.x
arista / cloudvision_portal	2019.1.2	2019.1.2.x
arista / cloudvision_portal	2019.1.1	2019.1.1.x
arista / cloudvision_portal	2019.1.0	2019.1.0.x
arista / cloudvision_portal	2018.1.0	2018.2.3.x
arista / terminattr	-	1.7.2.x

Vulnerability Database

308,681

CVE-2019-17596

Deep Security Visibility Without the Complexity