{"api_version":"1","generated_at":"2026-04-15T23:16:13+00:00","cve":"CVE-2023-29409","urls":{"html":"https://cve.report/CVE-2023-29409","api":"https://cve.report/api/cve/CVE-2023-29409.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-29409","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-29409"},"summary":{"title":"CVE-2023-29409","description":"Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.","state":"PUBLIC","assigner":"security@golang.org","published_at":"2023-08-02 20:15:00","updated_at":"2023-11-25 11:15:00"},"problem_types":["CWE-400"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202311-09","name":"https://security.gentoo.org/glsa/202311-09","refsource":"","tags":[],"title":"Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://pkg.go.dev/vuln/GO-2023-1987","name":"https://pkg.go.dev/vuln/GO-2023-1987","refsource":"MISC","tags":[],"title":"404 Not Found - Go Packages","mime":"text/html","httpstatus":"404","archivestatus":"404"},{"url":"https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ","name":"https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ","refsource":"MISC","tags":[],"title":"[security] Go 1.20.7 and Go 1.19.12 are released","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20230831-0010/","name":"https://security.netapp.com/advisory/ntap-20230831-0010/","refsource":"MISC","tags":[],"title":"CVE-2023-29409 Golang Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/issue/61460","name":"https://go.dev/issue/61460","refsource":"MISC","tags":[],"title":"crypto/tls: verifying certificate chains containing large RSA keys is slow [CVE-2023-29409] · Issue #61460 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/cl/515257","name":"https://go.dev/cl/515257","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29409","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29409","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"29409","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"29409","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"1.21.0","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"29409","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"1.21.0","cpe7":"rc2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"29409","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"1.21.0","cpe7":"rc3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-29409","qid":"160998","title":"Oracle Enterprise Linux Security Update for go-toolset and golang (ELSA-2023-5738)"},{"cve":"CVE-2023-29409","qid":"161230","title":"Oracle Enterprise Linux Security Update for podman (ELSA-2023-7765)"},{"cve":"CVE-2023-29409","qid":"161231","title":"Oracle Enterprise Linux Security Update for containernetworking-plugins (ELSA-2023-7766)"},{"cve":"CVE-2023-29409","qid":"161240","title":"Oracle Enterprise Linux Security Update for runc (ELSA-2023-7763)"},{"cve":"CVE-2023-29409","qid":"161243","title":"Oracle Enterprise Linux Security Update for skopeo (ELSA-2023-7762)"},{"cve":"CVE-2023-29409","qid":"161244","title":"Oracle Enterprise Linux Security Update for buildah (ELSA-2023-7764)"},{"cve":"CVE-2023-29409","qid":"161289","title":"Oracle Enterprise Linux Security Update for container-tools:4.0 (ELSA-2024-0121)"},{"cve":"CVE-2023-29409","qid":"242176","title":"Red Hat Update for go-toolset and golang (RHSA-2023:5738)"},{"cve":"CVE-2023-29409","qid":"242228","title":"Red Hat Update for OpenStack Platform 17.1.1 (RHSA-2023:5969)"},{"cve":"CVE-2023-29409","qid":"242365","title":"Red Hat Update for OpenStack Platform 16.2.5 (RHSA-2023:5964)"},{"cve":"CVE-2023-29409","qid":"242381","title":"Red Hat Update for OpenStack Platform 16.2.5 (RHSA-2023:5965)"},{"cve":"CVE-2023-29409","qid":"242464","title":"Red Hat OpenShift Container Platform 4.14 Security Update (RHSA-2023:6840)"},{"cve":"CVE-2023-29409","qid":"242569","title":"Red Hat Update for podman (RHSA-2023:7765)"},{"cve":"CVE-2023-29409","qid":"242584","title":"Red Hat Update for runc (RHSA-2023:7763)"},{"cve":"CVE-2023-29409","qid":"242585","title":"Red Hat Update for containernetworking-plugins (RHSA-2023:7766)"},{"cve":"CVE-2023-29409","qid":"242587","title":"Red Hat Update for buildah (RHSA-2023:7764)"},{"cve":"CVE-2023-29409","qid":"242593","title":"Red Hat Update for skopeo (RHSA-2023:7762)"},{"cve":"CVE-2023-29409","qid":"242736","title":"Red Hat OpenShift Container Platform 4.14 Security Update (RHSA-2024:0292)"},{"cve":"CVE-2023-29409","qid":"242737","title":"Red Hat OpenShift Container Platform 4.14 Security Update (RHSA-2024:0293)"},{"cve":"CVE-2023-29409","qid":"242882","title":"Red Hat Update for container-tools:4.0 (RHSA-2024:0121)"},{"cve":"CVE-2023-29409","qid":"296103","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 61.151.2 Missing (CPUJUL2023)"},{"cve":"CVE-2023-29409","qid":"355840","title":"Amazon Linux Security Advisory for runc : ALAS2NITRO-ENCLAVES-2023-027"},{"cve":"CVE-2023-29409","qid":"355842","title":"Amazon Linux Security Advisory for cni-plugins : ALAS2-2023-2208"},{"cve":"CVE-2023-29409","qid":"355843","title":"Amazon Linux Security Advisory for nerdctl : ALAS2-2023-2210"},{"cve":"CVE-2023-29409","qid":"355852","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2211"},{"cve":"CVE-2023-29409","qid":"355856","title":"Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2023-028"},{"cve":"CVE-2023-29409","qid":"355857","title":"Amazon Linux Security Advisory for amazon-cloudwatch-agent : ALAS2-2023-2209"},{"cve":"CVE-2023-29409","qid":"355859","title":"Amazon Linux Security Advisory for runc : ALAS2DOCKER-2023-026"},{"cve":"CVE-2023-29409","qid":"355866","title":"Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2023-027"},{"cve":"CVE-2023-29409","qid":"355868","title":"Amazon Linux Security Advisory for nerdctl : ALAS2023-2023-309"},{"cve":"CVE-2023-29409","qid":"355876","title":"Amazon Linux Security Advisory for amazon-cloudwatch-agent : ALAS2023-2023-307"},{"cve":"CVE-2023-29409","qid":"355880","title":"Amazon Linux Security Advisory for containerd : ALAS2023-2023-308"},{"cve":"CVE-2023-29409","qid":"356112","title":"Amazon Linux Security Advisory for docker : ALAS2023-2023-345"},{"cve":"CVE-2023-29409","qid":"356115","title":"Amazon Linux Security Advisory for amazon-ecr-credential-helper : ALAS2023-2023-346"},{"cve":"CVE-2023-29409","qid":"356344","title":"Amazon Linux Security Advisory for golang : AL2012-2023-447"},{"cve":"CVE-2023-29409","qid":"356362","title":"Amazon Linux Security Advisory for golang : ALAS-2023-1848"},{"cve":"CVE-2023-29409","qid":"356363","title":"Amazon Linux Security Advisory for containerd : ALAS-2023-1849"},{"cve":"CVE-2023-29409","qid":"356374","title":"Amazon Linux Security Advisory for amazon-ssm-agent : ALAS2023-2023-373"},{"cve":"CVE-2023-29409","qid":"356428","title":"Amazon Linux Security Advisory for amazon-ssm-agent : ALAS2-2023-2303"},{"cve":"CVE-2023-29409","qid":"356565","title":"Amazon Linux Security Advisory for containerd : ALAS2ECS-2023-008"},{"cve":"CVE-2023-29409","qid":"503191","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-29409","qid":"506085","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-29409","qid":"673336","title":"EulerOS Security Update for golang (EulerOS-SA-2023-3006)"},{"cve":"CVE-2023-29409","qid":"673747","title":"EulerOS Security Update for golang (EulerOS-SA-2023-3178)"},{"cve":"CVE-2023-29409","qid":"673755","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2877)"},{"cve":"CVE-2023-29409","qid":"673850","title":"EulerOS Security Update for golang (EulerOS-SA-2024-1140)"},{"cve":"CVE-2023-29409","qid":"673911","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2896)"},{"cve":"CVE-2023-29409","qid":"673945","title":"EulerOS Security Update for golang (EulerOS-SA-2023-3213)"},{"cve":"CVE-2023-29409","qid":"674001","title":"EulerOS Security Update for golang (EulerOS-SA-2023-3029)"},{"cve":"CVE-2023-29409","qid":"710791","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)"},{"cve":"CVE-2023-29409","qid":"754270","title":"SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2023:3263-1)"},{"cve":"CVE-2023-29409","qid":"754950","title":"SUSE Enterprise Linux Security Update for go1.19-openssl (SUSE-SU-2023:3841-1)"},{"cve":"CVE-2023-29409","qid":"754951","title":"SUSE Enterprise Linux Security Update for go1.20-openssl (SUSE-SU-2023:3840-1)"},{"cve":"CVE-2023-29409","qid":"754977","title":"SUSE Enterprise Linux Security Update for grafana (SUSE-SU-2023:3886-1)"},{"cve":"CVE-2023-29409","qid":"754978","title":"SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2023:3868-1)"},{"cve":"CVE-2023-29409","qid":"754979","title":"SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2023:3867-1)"},{"cve":"CVE-2023-29409","qid":"754988","title":"SUSE Enterprise Linux Security Update for Golang Prometheus (SUSE-SU-2023:3888-1)"},{"cve":"CVE-2023-29409","qid":"755293","title":"SUSE Enterprise Linux Maintenance update for SUSE Manager 4.3.8 Release Notes (SUSE-SU-2023:3885-1)"},{"cve":"CVE-2023-29409","qid":"770214","title":"Red Hat OpenShift Container Platform 4.14 Security Update (RHSA-2023:6840)"},{"cve":"CVE-2023-29409","qid":"770224","title":"Red Hat OpenShift Container Platform 4.14 Security Update (RHSA-2024:0293)"},{"cve":"CVE-2023-29409","qid":"907881","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (27812-2)"},{"cve":"CVE-2023-29409","qid":"907924","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for msft-golang (27814-1)"},{"cve":"CVE-2023-29409","qid":"941298","title":"AlmaLinux Security Update for go-toolset and golang (ALSA-2023:5738)"},{"cve":"CVE-2023-29409","qid":"941495","title":"AlmaLinux Security Update for podman (ALSA-2023:7765)"},{"cve":"CVE-2023-29409","qid":"941497","title":"AlmaLinux Security Update for runc (ALSA-2023:7763)"},{"cve":"CVE-2023-29409","qid":"941498","title":"AlmaLinux Security Update for containernetworking-plugins (ALSA-2023:7766)"},{"cve":"CVE-2023-29409","qid":"941499","title":"AlmaLinux Security Update for skopeo (ALSA-2023:7762)"},{"cve":"CVE-2023-29409","qid":"941500","title":"AlmaLinux Security Update for buildah (ALSA-2023:7764)"},{"cve":"CVE-2023-29409","qid":"941535","title":"AlmaLinux Security Update for container-tools:4.0 (ALSA-2024:0121)"},{"cve":"CVE-2023-29409","qid":"961058","title":"Rocky Linux Security Update for go-toolset and golang (RLSA-2023:5738)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-29409","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-400: Uncontrolled Resource Consumption"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Go standard library","product":{"product_data":[{"product_name":"crypto/tls","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.19.12"},{"version_affected":"<","version_name":"1.20.0-0","version_value":"1.20.7"},{"version_affected":"<","version_name":"1.21.0-0","version_value":"1.21.0-rc.4"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/61460","refsource":"MISC","name":"https://go.dev/issue/61460"},{"url":"https://go.dev/cl/515257","refsource":"MISC","name":"https://go.dev/cl/515257"},{"url":"https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ","refsource":"MISC","name":"https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ"},{"url":"https://pkg.go.dev/vuln/GO-2023-1987","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2023-1987"},{"url":"https://security.netapp.com/advisory/ntap-20230831-0010/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20230831-0010/"}]},"credits":[{"lang":"en","value":"Mateusz Poliwczak"}]},"nvd":{"publishedDate":"2023-08-02 20:15:00","lastModifiedDate":"2023-11-25 11:15:00","problem_types":["CWE-400"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:1.21.0:rc2:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:1.21.0:rc3:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.20.0","versionEndExcluding":"1.20.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:1.21.0:rc1:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}