{"api_version":"1","generated_at":"2026-04-23T02:16:21+00:00","cve":"CVE-2018-16875","urls":{"html":"https://cve.report/CVE-2018-16875","api":"https://cve.report/api/cve/CVE-2018-16875.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-16875","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-16875"},"summary":{"title":"CVE-2018-16875","description":"The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2018-12-14 14:29:00","updated_at":"2023-11-07 02:53:00"},"problem_types":["CWE-295"],"metrics":[],"references":[{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html","name":"openSUSE-SU-2019:1444","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:1444-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0","name":"https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0","refsource":"","tags":[],"title":"Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0","name":"https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0","refsource":"MISC","tags":["Third Party Advisory"],"title":"Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html","name":"openSUSE-SU-2019:1079","refsource":"SUSE","tags":["Third Party Advisory"],"title":"[security-announce] openSUSE-SU-2019:1079-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html","name":"openSUSE-SU-2019:1499","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:1499-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875","refsource":"CONFIRM","tags":["Issue Tracking","Third Party Advisory"],"title":"1657565 – (CVE-2018-16875) CVE-2018-16875 golang: crypto/x509 allows for denial of service via crafted TLS client certificate","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html","name":"openSUSE-SU-2019:1506","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:1506-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html","name":"openSUSE-SU-2019:1703","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:1703-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201812-09","name":"GLSA-201812-09","refsource":"GENTOO","tags":["Mitigation","Third Party Advisory"],"title":"Go: Multiple vulnerabilities (GLSA 201812-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/106230","name":"106230","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Golang Go CVE-2018-16875 Remote Denial of Service Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-16875","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16875","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"16875","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"16875","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"16875","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"42.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"16875","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"42.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-16875","qid":"174971","title":"SUSE Enterprise Linux Security Update for containerd, docker, runc (SUSE-SU-2021:1458-1)"},{"cve":"CVE-2018-16875","qid":"296075","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 21.69.0 Missing (CPUAPR2020)"},{"cve":"CVE-2018-16875","qid":"710317","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 201812-09)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2018-16875","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"golang","version":{"version_data":[{"version_value":"1.10.6"},{"version_value":"1.11.3"}]}}]},"vendor_name":"[UNKNOWN]"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected."}]},"impact":{"cvss":[[{"vectorString":"5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.0"}]]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20"}]}]},"references":{"reference_data":[{"name":"106230","refsource":"BID","url":"http://www.securityfocus.com/bid/106230"},{"name":"GLSA-201812-09","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201812-09"},{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875","refsource":"CONFIRM","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875"},{"name":"https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0","refsource":"MISC","url":"https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1079","url":"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1444","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1499","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1506","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1703","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"}]}},"nvd":{"publishedDate":"2018-12-14 14:29:00","lastModifiedDate":"2023-11-07 02:53:00","problem_types":["CWE-295"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"COMPLETE","baseScore":7.8},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.11.0","versionEndExcluding":"1.11.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.10.6","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"16875","Ordinal":"133686","Title":"CVE-2018-16875","CVE":"CVE-2018-16875","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"16875","Ordinal":"1","NoteData":"The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"16875","Ordinal":"2","NoteData":"2018-12-14","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"16875","Ordinal":"3","NoteData":"2019-07-14","Type":"Other","Title":"Modified"}]}}}