Vulnerability Report: GO-2022-0217

CVE-2019-6486
Affects: crypto/elliptic
Published: May 24, 2022
Modified: Jun 12, 2023

A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

Affected Packages

Path

Versions

Symbols
crypto/elliptic

before go1.10.8, from go1.11.0-0 before go1.11.5

all symbols

Aliases

CVE-2019-6486

References

https://go.dev/cl/159218
https://go.googlesource.com/go/+/193c16a3648b8670a762e925b6ac6e074f468a20
https://go.dev/issue/29903
https://groups.google.com/g/golang-announce/c/mVeX35iXuSw
https://vuln.go.dev/ID/GO-2022-0217.json

Credits

Wycheproof Project

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL