Vulnerability Report: GO-2022-1095

standard library

CVE-2022-41716
Affects: syscall, os/exec
Published: Nov 01, 2022
Modified: May 20, 2024

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Affected Packages

Path

Go Versions

Symbols
syscall

before go1.18.8, from go1.19.0-0 before go1.19.3
- StartProcess
os/exec

before go1.18.8, from go1.19.0-0 before go1.19.3
5 affected symbols

Aliases

CVE-2022-41716

References

https://go.dev/issue/56284
https://go.dev/cl/446916
https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM/m/hSpmRzk-AgAJ
https://vuln.go.dev/ID/GO-2022-1095.json

Credits

RyotaK (https://twitter.com/ryotkak)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL