Vulnerability Report: GO-2022-0289

standard library

CVE-2021-44717
Affects: syscall
Published: May 18, 2022
Modified: May 20, 2024

When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

Affected Packages

Path

Go Versions

Symbols
syscall

before go1.16.12, from go1.17.0-0 before go1.17.5
- ForkExec

Aliases

CVE-2021-44717

References

https://go.dev/cl/370576
https://go.googlesource.com/go/+/a76511f3a40ea69ee4f5cd86e735e1c8a84f0aa2
https://go.dev/issue/50057
https://groups.google.com/g/golang-announce/c/hcmEScgc00k
https://go.dev/cl/370577
https://go.dev/cl/370795
https://vuln.go.dev/ID/GO-2022-0289.json

Credits

Tomasz Maczukin, Kamil Trzciński of GitLab

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL