CVE-2021-38297

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.

Published: Oct 18, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-38297
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-120

Affected Software
References

Software	From	Fixed in
golang / go	1.17.0	1.17.2
golang / go	-	1.16.9
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x

https://groups.google.com/forum/#!forum/golang-announce
https://groups.google.com/forum/#%21forum/golang-announce
https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/
https://lists.fedoraproject.org/archives/list/[email protected]/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/
https://security.gentoo.org/glsa/202208-02
https://security.netapp.com/advisory/ntap-20211118-0006/

Vulnerability Database

289,599

CVE-2021-38297