{"api_version":"1","generated_at":"2026-04-22T23:09:08+00:00","cve":"CVE-2022-41715","urls":{"html":"https://cve.report/CVE-2022-41715","api":"https://cve.report/api/cve/CVE-2022-41715.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-41715","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-41715"},"summary":{"title":"CVE-2022-41715","description":"Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.","state":"PUBLIC","assigner":"security@golang.org","published_at":"2022-10-14 15:16:00","updated_at":"2023-11-25 11:15:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202311-09","name":"https://security.gentoo.org/glsa/202311-09","refsource":"","tags":[],"title":"Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THKJHFMX4DAZXJ5MFPN3BNHZDN7BW5RI/","name":"FEDORA-2022-59a20edab2","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: golang-1.19.2-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/issue/55949","name":"https://go.dev/issue/55949","refsource":"MISC","tags":[],"title":"regexp/syntax: limit memory used by parsing regexps · Issue #55949 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU","name":"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU","refsource":"MISC","tags":[],"title":"[security] Go 1.19.2 and Go 1.18.7 are released","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/cl/439356","name":"https://go.dev/cl/439356","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://pkg.go.dev/vuln/GO-2022-1039","name":"https://pkg.go.dev/vuln/GO-2022-1039","refsource":"MISC","tags":[],"title":"GO-2022-1039 - Go Packages","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-41715","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41715","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"41715","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"41715","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-41715","qid":"160322","title":"Oracle Enterprise Linux Security Update for ol8addon (ELSA-2022-24267)"},{"cve":"CVE-2022-41715","qid":"160414","title":"Oracle Enterprise Linux Security Update for go-toolset and golang (ELSA-2023-0328)"},{"cve":"CVE-2022-41715","qid":"160440","title":"Oracle Enterprise Linux Security Update for go-toolset:ol8 (ELSA-2023-0446)"},{"cve":"CVE-2022-41715","qid":"160499","title":"Oracle Enterprise Linux Security Update for ol8addon (ELSA-2023-18908)"},{"cve":"CVE-2022-41715","qid":"160582","title":"Oracle Enterprise Linux Security Update for git-lfs (ELSA-2023-2357)"},{"cve":"CVE-2022-41715","qid":"160597","title":"Oracle Enterprise Linux Security Update for golang-github-cpuguy83-md2man (ELSA-2023-2592)"},{"cve":"CVE-2022-41715","qid":"160609","title":"Oracle Enterprise Linux Security Update for image builder (ELSA-2023-2204)"},{"cve":"CVE-2022-41715","qid":"160619","title":"Oracle Enterprise Linux Security Update for grafana security and enhancement update (ELSA-2023-2167)"},{"cve":"CVE-2022-41715","qid":"160655","title":"Oracle Enterprise Linux Security Update for grafana (ELSA-2023-2784)"},{"cve":"CVE-2022-41715","qid":"160663","title":"Oracle Enterprise Linux Security Update for git-lfs (ELSA-2023-2866)"},{"cve":"CVE-2022-41715","qid":"160666","title":"Oracle Enterprise Linux Security Update for image builder (ELSA-2023-2780)"},{"cve":"CVE-2022-41715","qid":"161289","title":"Oracle Enterprise Linux Security Update for container-tools:4.0 (ELSA-2024-0121)"},{"cve":"CVE-2022-41715","qid":"183457","title":"Debian Security Update for golang-1.19 (CVE-2022-41715)"},{"cve":"CVE-2022-41715","qid":"199304","title":"Ubuntu Security Notification for Go Vulnerabilities (USN-6038-1)"},{"cve":"CVE-2022-41715","qid":"241070","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)"},{"cve":"CVE-2022-41715","qid":"241106","title":"Red Hat Update for go-toolset and golang (RHSA-2023:0328)"},{"cve":"CVE-2022-41715","qid":"241132","title":"Red Hat Update for go-toolset:rhel8 (RHSA-2023:0446)"},{"cve":"CVE-2022-41715","qid":"241187","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:0727)"},{"cve":"CVE-2022-41715","qid":"241268","title":"Red Hat Update for multiple OpenStack Platforms (RHSA-2023:1275)"},{"cve":"CVE-2022-41715","qid":"241424","title":"Red Hat Update for image builder security (RHSA-2023:2204)"},{"cve":"CVE-2022-41715","qid":"241453","title":"Red Hat Update for grafana (RHSA-2023:2167)"},{"cve":"CVE-2022-41715","qid":"241467","title":"Red Hat Update for git-lfs (RHSA-2023:2357)"},{"cve":"CVE-2022-41715","qid":"241485","title":"Red Hat Update for grafana (RHSA-2023:2784)"},{"cve":"CVE-2022-41715","qid":"241490","title":"Red Hat Update for image builder security (RHSA-2023:2780)"},{"cve":"CVE-2022-41715","qid":"241520","title":"Red Hat Update for git-lfs (RHSA-2023:2866)"},{"cve":"CVE-2022-41715","qid":"241747","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3613)"},{"cve":"CVE-2022-41715","qid":"242882","title":"Red Hat Update for container-tools:4.0 (RHSA-2024:0121)"},{"cve":"CVE-2022-41715","qid":"283206","title":"Fedora Security Update for golang (FEDORA-2022-0e313cc582)"},{"cve":"CVE-2022-41715","qid":"354133","title":"Amazon Linux Security Advisory for golang : ALAS2-2022-1887"},{"cve":"CVE-2022-41715","qid":"354318","title":"Amazon Linux Security Advisory for golist : ALAS2022-2022-240"},{"cve":"CVE-2022-41715","qid":"354512","title":"Amazon Linux Security Advisory for golang : ALAS2022-2022-239"},{"cve":"CVE-2022-41715","qid":"354547","title":"Amazon Linux Security Advisory for golang : ALAS-2022-239"},{"cve":"CVE-2022-41715","qid":"354562","title":"Amazon Linux Security Advisory for golist : ALAS-2022-240"},{"cve":"CVE-2022-41715","qid":"354647","title":"Amazon Linux Security Advisory for golist : ALAS2-2023-1913"},{"cve":"CVE-2022-41715","qid":"355111","title":"Amazon Linux Security Advisory for golist : ALAS2023-2023-046"},{"cve":"CVE-2022-41715","qid":"355212","title":"Amazon Linux Security Advisory for golang : ALAS2023-2023-048"},{"cve":"CVE-2022-41715","qid":"356304","title":"Amazon Linux Security Advisory for golang : ALASGOLANG1.19-2023-002"},{"cve":"CVE-2022-41715","qid":"378046","title":"Alibaba Cloud Linux Security Update for go-toolset:rhel8 (ALINUX3-SA-2023:0028)"},{"cve":"CVE-2022-41715","qid":"378599","title":"Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)"},{"cve":"CVE-2022-41715","qid":"378652","title":"Alibaba Cloud Linux Security Update for git-lfs (ALINUX3-SA-2023:0071)"},{"cve":"CVE-2022-41715","qid":"378707","title":"Alibaba Cloud Linux Security Update for grafana (ALINUX3-SA-2023:0075)"},{"cve":"CVE-2022-41715","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2022-41715","qid":"502529","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2022-41715","qid":"502859","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2022-41715","qid":"672413","title":"EulerOS Security Update for golang (EulerOS-SA-2022-2795)"},{"cve":"CVE-2022-41715","qid":"672476","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1035)"},{"cve":"CVE-2022-41715","qid":"672519","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1010)"},{"cve":"CVE-2022-41715","qid":"672528","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1100)"},{"cve":"CVE-2022-41715","qid":"672533","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1124)"},{"cve":"CVE-2022-41715","qid":"672621","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1385)"},{"cve":"CVE-2022-41715","qid":"672650","title":"EulerOS Security Update for golang (EulerOS-SA-2023-1357)"},{"cve":"CVE-2022-41715","qid":"690952","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for go (854c2afb-4424-11ed-af97-adcabf310f9b)"},{"cve":"CVE-2022-41715","qid":"710791","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)"},{"cve":"CVE-2022-41715","qid":"753218","title":"SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2022:3669-1)"},{"cve":"CVE-2022-41715","qid":"753359","title":"SUSE Enterprise Linux Security Update for go1.18 (SUSE-SU-2022:3668-1)"},{"cve":"CVE-2022-41715","qid":"753995","title":"SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2023:2183-1)"},{"cve":"CVE-2022-41715","qid":"754047","title":"SUSE Enterprise Linux Security Update for go1.18-openssl (SUSE-SU-2023:2312-1)"},{"cve":"CVE-2022-41715","qid":"754116","title":"SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2023:2578-1)"},{"cve":"CVE-2022-41715","qid":"755764","title":"SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2024:0487-1)"},{"cve":"CVE-2022-41715","qid":"755846","title":"SUSE Enterprise Linux Security Update for golang-github-prometheus-prometheus (SUSE-SU-2023:2598-1)"},{"cve":"CVE-2022-41715","qid":"770172","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)"},{"cve":"CVE-2022-41715","qid":"770176","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:0727)"},{"cve":"CVE-2022-41715","qid":"770197","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3613)"},{"cve":"CVE-2022-41715","qid":"904226","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11156)"},{"cve":"CVE-2022-41715","qid":"904244","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11130)"},{"cve":"CVE-2022-41715","qid":"907765","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11156-1)"},{"cve":"CVE-2022-41715","qid":"907843","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11130-1)"},{"cve":"CVE-2022-41715","qid":"907898","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11130-2)"},{"cve":"CVE-2022-41715","qid":"908059","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11130-4)"},{"cve":"CVE-2022-41715","qid":"940905","title":"AlmaLinux Security Update for go-toolset and golang (ALSA-2023:0328)"},{"cve":"CVE-2022-41715","qid":"940911","title":"AlmaLinux Security Update for go-toolset:rhel8 (ALSA-2023:0446)"},{"cve":"CVE-2022-41715","qid":"941046","title":"AlmaLinux Security Update for grafana (ALSA-2023:2167)"},{"cve":"CVE-2022-41715","qid":"941053","title":"AlmaLinux Security Update for git-lfs (ALSA-2023:2357)"},{"cve":"CVE-2022-41715","qid":"941060","title":"AlmaLinux Security Update for golang-github-cpuguy83-md2man (ALSA-2023:2592)"},{"cve":"CVE-2022-41715","qid":"941063","title":"AlmaLinux Security Update for Image (ALSA-2023:2204)"},{"cve":"CVE-2022-41715","qid":"941104","title":"AlmaLinux Security Update for grafana (ALSA-2023:2784)"},{"cve":"CVE-2022-41715","qid":"941108","title":"AlmaLinux Security Update for git-lfs (ALSA-2023:2866)"},{"cve":"CVE-2022-41715","qid":"941118","title":"AlmaLinux Security Update for Image (ALSA-2023:2780)"},{"cve":"CVE-2022-41715","qid":"941535","title":"AlmaLinux Security Update for container-tools:4.0 (ALSA-2024:0121)"},{"cve":"CVE-2022-41715","qid":"960489","title":"Rocky Linux Security Update for go-toolset and golang (RLSA-2023:0328)"},{"cve":"CVE-2022-41715","qid":"960609","title":"Rocky Linux Security Update for go-toolset:rhel8 (RLSA-2023:0446)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-41715","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE 400: Uncontrolled Resource Consumption"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Go standard library","product":{"product_data":[{"product_name":"regexp/syntax","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.18.7"},{"version_affected":"<","version_name":"1.19.0-0","version_value":"1.19.2"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/55949","refsource":"MISC","name":"https://go.dev/issue/55949"},{"url":"https://go.dev/cl/439356","refsource":"MISC","name":"https://go.dev/cl/439356"},{"url":"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU","refsource":"MISC","name":"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"},{"url":"https://pkg.go.dev/vuln/GO-2022-1039","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2022-1039"}]},"credits":[{"lang":"en","value":"Adam Korczynski (ADA Logics)"},{"lang":"en","value":"OSS-Fuzz"}]},"nvd":{"publishedDate":"2022-10-14 15:16:00","lastModifiedDate":"2023-11-25 11:15:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.19.0","versionEndExcluding":"1.19.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.18.7","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}