Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.

🗓️ 03 Sep 2025 21:29:11Reported by MicrosoftType

mscve

mscve🔗 msrc.microsoft.com👁 1 Views

Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 curves, enabling denial of service or ECDH recovery.

Reporter	Title	Published	Views	Family All 99
IBM Security Bulletins	Security Bulletin: IBM Event Streams is affected by Go vulnerabilities	29 Mar 201911:00	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Private for Data is affected by a vulnerability in Go Language (CVE-2019-6486)	3 Oct 201922:50	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in Go affects IBM Watson Studio Local	20 Dec 201913:58	–	ibm
ALT Linux	Security fix for the ALT Linux 10 package golang version 1.11.5-alt1	24 Jan 201900:00	–	altlinux
Tenable Nessus	Amazon Linux 2 : golang (ALAS-2019-1172)	8 Mar 201900:00	–	nessus
Tenable Nessus	Amazon Linux AMI : golang (ALAS-2019-1172)	12 Mar 201900:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0069: go-toolset:rhel8 (ALINUX3-SA-2021:0069)	14 May 202500:00	–	nessus
Tenable Nessus	Debian DLA-1664-1 : golang security update	7 Feb 201900:00	–	nessus
Tenable Nessus	Debian DSA-4379-1 : golang-1.7 - security update	4 Feb 201900:00	–	nessus
Tenable Nessus	Debian DSA-4380-1 : golang-1.8 - security update	4 Feb 201900:00	–	nessus

03 Sep 2025 21:29Current

7High risk

Vulners AI Score7

CVSS 26.4

CVSS 38.2

EPSS0.00598

go versions p521 curves p384 curves denial of service ecdh recovery