Bug 2279814 (CVE-2024-24788) - CVE-2024-24788 golang: net: malformed DNS message can cause infinite loop
Summary: CVE-2024-24788 golang: net: malformed DNS message can cause infinite loop
Keywords:
Status: NEW
Alias: CVE-2024-24788
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2279816 2279820 2279821 2279825 2279829 2279830 2279831 2279832 2279833 2279834 2279835 2279836 2279837 2279815 2279822 2279823 2279824 2279826 2279827 2279828 2279838
Blocks: 2279819
TreeView+ depends on / blocked
 
Reported: 2024-05-09 04:35 UTC by Avinash Hanwate
Modified: 2024-06-22 08:28 UTC (History)
136 users (show)

Fixed In Version: Go 1.22.3, Go 1.21.10
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the net package of the Go stdlib. When a malformed DNS message is received as a response to a query, the Lookup functions within the net package can get stuck in an infinite loop. This issue can lead to resource exhaustion and denial of service (DoS) conditions.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2024-05-09 04:35:05 UTC 
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

https://go.dev/cl/578375
https://go.dev/issue/66754
https://groups.google.com/g/golang-announce/c/wkkO4P9stm0
https://pkg.go.dev/vuln/GO-2024-2824
Comment 1 Avinash Hanwate 2024-05-09 04:40:37 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2279815]
Affects: fedora-all [bug 2279816]
Note You need to log in before you can comment on or make changes to this bug.