CVE-2023-23626

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-23626

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-23626.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-23626

Aliases

Published

2023-02-09T20:54:07Z

Modified

2025-10-14T02:42:23.582194Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Denial of service when feeding malformed size arguments in go-bitfield

Details

go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions, an attacker can trigger panics. This happen when the size is a not a multiple of 8 or is negative. There were already a note in the NewBitfield documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that size is a multiple of 8 before calling NewBitfield or FromBytes.

References

Affected packages

Git / github.com/ipfs/go-bitfield

Affected ranges

Type: GIT
Repo: https://github.com/ipfs/go-bitfield
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

345bb295b923068375b7b171ffc4b0923abd1c11

Affected versions

v1.*

v1.0.0