Vulnerability Report: GO-2022-0247
standard library- CVE-2021-38297
- Affects: cmd/link
- Published: May 24, 2022
- Modified: May 20, 2024
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments due to a buffer overflow error. If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.16.9, from go1.17.0-0 before go1.17.2
1 unexported affected symbols
- Link.address
Aliases
References
- https://go.dev/cl/354571
- https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4
- https://go.dev/issue/48797
- https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A
- https://vuln.go.dev/ID/GO-2022-0247.json
Credits
- Ben Lubar
Feedback
See anything missing or incorrect?
Suggest an edit to this report.