golang: encoding/xml: stack exhaustion in Decoder.Skip

🗓️ 16 May 2023 08:59:44Reported by RedHatType

redhat

redhat🔗 access.redhat.com👁 4 Views

Go encoding library Decoder.Skip may panic from stack exhaustion on deeply nested XML, hurting availability.

Reporter	Title	Published	Views	Family All 314
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in Go may affect IBM CICS TX Standard	24 Feb 202310:43	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023	10 Mar 202318:29	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM API Connect	15 Mar 202500:18	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak System is vulnerable to multiple vulnerabilities in Golang Go	31 Mar 202314:14	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Data is vulnerable to a variety of issues due to 3rd party software	27 Sep 202417:52	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation	29 Mar 202317:13	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities	16 Jun 202315:20	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is affected by multiple vulnerabilities in Golang Go	5 Jul 202321:52	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Golang Go affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift	18 Nov 202200:02	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to multiple software weaknesses due to Golang	4 Apr 202521:17	–	ibm

OS	OS Version	Architecture	Package	Package Version	Filename
Red Hat Enterprise Linux	8	aarch64	aardvark-dns	2:1.0.1-37.module+el8.8.0+17954+9046de88	aardvark-dns-2:1.0.1-37.module+el8.8.0+17954+9046de88.aarch64.rpm
Red Hat Enterprise Linux	8	ppc64le	aardvark-dns	2:1.0.1-37.module+el8.8.0+17954+9046de88	aardvark-dns-2:1.0.1-37.module+el8.8.0+17954+9046de88.ppc64le.rpm
Red Hat Enterprise Linux	8	s390x	aardvark-dns	2:1.0.1-37.module+el8.8.0+17954+9046de88	aardvark-dns-2:1.0.1-37.module+el8.8.0+17954+9046de88.s390x.rpm
Red Hat Enterprise Linux	8	x86_64	aardvark-dns	2:1.0.1-37.module+el8.8.0+17954+9046de88	aardvark-dns-2:1.0.1-37.module+el8.8.0+17954+9046de88.x86_64.rpm
Red Hat Enterprise Linux	8	aarch64	buildah	1:1.24.6-5.module+el8.8.0+18083+cd85596b	buildah-1:1.24.6-5.module+el8.8.0+18083+cd85596b.aarch64.rpm
Red Hat Enterprise Linux	8	ppc64le	buildah	1:1.24.6-5.module+el8.8.0+18083+cd85596b	buildah-1:1.24.6-5.module+el8.8.0+18083+cd85596b.ppc64le.rpm
Red Hat Enterprise Linux	8	s390x	buildah	1:1.24.6-5.module+el8.8.0+18083+cd85596b	buildah-1:1.24.6-5.module+el8.8.0+18083+cd85596b.s390x.rpm
Red Hat Enterprise Linux	8	x86_64	buildah	1:1.24.6-5.module+el8.8.0+18083+cd85596b	buildah-1:1.24.6-5.module+el8.8.0+18083+cd85596b.x86_64.rpm
Red Hat Enterprise Linux	8	aarch64	buildah-debuginfo	1:1.24.6-5.module+el8.8.0+18083+cd85596b	buildah-debuginfo-1:1.24.6-5.module+el8.8.0+18083+cd85596b.aarch64.rpm
Red Hat Enterprise Linux	8	ppc64le	buildah-debuginfo	1:1.24.6-5.module+el8.8.0+18083+cd85596b	buildah-debuginfo-1:1.24.6-5.module+el8.8.0+18083+cd85596b.ppc64le.rpm

Source	Link
access	www.access.redhat.com/security/cve/CVE-2022-28131
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
go	www.go.dev/issue/53614
groups	www.groups.google.com/g/golang-announce/c/nqrv9fbR0zE
nvd	www.nvd.nist.gov/vuln/detail/CVE-2022-28131
cve	www.cve.org/CVERecord

21 Jun 2026 13:26Current

6.6Medium risk

Vulners AI Score6.6

CVSS 3.17.5

EPSS0.01875

Go language Extensible markup language Decoder Skip Stack exhaustion Deeply nested Availability impact