Go crypto/tls panic via oversized handshake (TLS 1.3/1.2)
CVE-2022-41724 Published on February 28, 2023
Panic on large handshake records in crypto/tls
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
Products Associated with CVE-2022-41724
stack.watch emails you whenever new vulnerabilities are published in GoLang Go or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
Go standard library crypto/tls:- Before 1.19.6 is affected.
- Version 1.20.0-0 and below 1.20.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.