1. Home
  2. CVE Database
  3. CVE-2023-29402
CRITICAL · 9.8

CVE-2023-29402

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted modu...

Vulnerability Description

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
GolangGo< 1.19.10
FedoraprojectFedora38

Related Weaknesses (CWE)

CWE-94

References

FAQ

What is CVE-2023-29402?

CVE-2023-29402 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted modu...

How severe is CVE-2023-29402?

CVE-2023-29402 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-29402?

Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Fedoraproject Fedora.