golang: archive/tar: Unbounded allocation when parsing GNU sparse map

A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go...

Moderate: Red Hat Security Advisory: golang security update

An update for golang is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

Moderate: delve and golang security update

The Go Programming Language. Security Fixes: golang: archive/tar: Unbounded allocation when parsing GNU sparse map CVE-2025-58183 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the...

RHEL 10 : golang (RHSA-2025:21779)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:21779 advisory. The golang packages provide the Go programming language compiler. Security Fixes: golang: archive/tar: Unbounded allocation when parsing GNU sparse...

ALSA-2025:21815 Moderate: delve and golang security update

The Go Programming Language. Security Fixes: golang: archive/tar: Unbounded allocation when parsing GNU sparse map CVE-2025-58183 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the...

RHEL 9 : golang (RHSA-2025:21778)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:21778 advisory. The golang packages provide the Go programming language compiler. Security Fixes: golang: archive/tar: Unbounded allocation when parsing GNU sparse...

AlmaLinux 9 : delve and golang (ALSA-2025:21815)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2025:21815 advisory. golang: archive/tar: Unbounded allocation when parsing GNU sparse map CVE-2025-58183 Tenable has extracted the preceding description block directly from the...

Amazon Linux 2023 : amazon-cloudwatch-agent (ALAS2023-2025-1275)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1275 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL...

Amazon Linux 2 : amazon-cloudwatch-agent, --advisory ALAS2-2025-3068 (ALAS-2025-3068)

The version of amazon-cloudwatch-agent installed on the remote host is prior to 1.300060.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-3068 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values othe...

Amazon Linux 2 : soci-snapshotter, --advisory ALAS2DOCKER-2025-080 (ALASDOCKER-2025-080)

The version of soci-snapshotter installed on the remote host is prior to 0.11.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2025-080 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than...

Amazon Linux 2 : containerd, --advisory ALAS2ECS-2025-079 (ALASECS-2025-079)

The version of containerd installed on the remote host is prior to 2.1.4-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2025-079 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6...

Amazon Linux 2 : golist, --advisory ALAS2-2025-3069 (ALAS-2025-3069)

The version of golist installed on the remote host is prior to 0.10.1-10. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-3069 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresse...

Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2025-1272)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1272 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL...

Important: runc

Issue Overview: Placeholder CVE. Details forthcoming CVE-2025-31133 net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to b...

Important: docker

Issue Overview: net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed withi...

Important: containerd

Issue Overview: net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed withi...

Amazon Linux 2 : runc, --advisory ALAS2NITRO-ENCLAVES-2025-072 (ALASNITRO-ENCLAVES-2025-072)

The version of runc installed on the remote host is prior to 1.3.2-2. It is, therefore, affected by a vulnerability as referenced in the ALAS2NITRO-ENCLAVES-2025-072 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version...

BIT-GOLANG-2025-58183 Unbounded allocation when parsing GNU sparse map in archive/tar

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a...

MGASA-2025-0256 Updated golang packages fix security vulnerabilities

Insufficient validation of bracketed IPv6 hostnames in net/url. CVE-2025-47912 Unbounded allocation when parsing GNU sparse map in archive/tar. CVE-2025-58183 Parsing DER payload can cause memory exhaustion in encoding/asn1. CVE-2025-58185 Lack of limit when parsing cookies can cause memory...

Unbounded allocation when parsing GNU sparse map in archive/tar

...