QID 356304

an out of bounds read vulnerability was found in debug/macho of the go standard library.
When using the debug/macho standard library (stdlib) and malformed binaries are parsed using open or openfat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling importedsymbols.
An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service. (
( CVE-2021-41771) theres a flaw in golangs syscall.
Forkexec() interface.
An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.
Forkexec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.
Forkexec(). (
( CVE-2021-44717) a flaw was found in golang.
The http/1 client accepted invalid transfer-encoding headers indicating "chunked" encoding.
This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. (
( CVE-2022-1705) a flaw was found in the golang standard library, go/parser.
When calling any parse functions on the go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion.
This issue allows an attacker to impact system availability. (
( CVE-2022-1962) rat.
Setstring in math/big in go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to uncontrolled memory consumption. (
( CVE-2022-23772) cmd/go in go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.