CVE-2022-2879
- Source
- https://cve.org/CVERecord?id=CVE-2022-2879
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2879.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-2879
- Aliases
- Downstream
- Related
- Published
- 2022-10-14T00:00:00Z
- Modified
- 2026-05-15T04:04:41.105681501Z
- Summary
- Unbounded memory consumption when reading headers in archive/tar
- Details
-
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
- Database specific
{ "cna_assigner": "Go", "unresolved_ranges": [ { "source": "AFFECTED_FIELD", "extracted_events": [ { "fixed": "1.18.7" }, { "introduced": "1.19.0-0" }, { "fixed": "1.19.2" } ] } ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/2xxx/CVE-2022-2879.json" }- References
-
- https://go.dev/cl/439355
- https://go.dev/issue/54853
- https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
- https://pkg.go.dev
- https://pkg.go.dev/vuln/GO-2022-1037
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/2xxx/CVE-2022-2879.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-2879
- https://security.gentoo.org/glsa/202311-09