-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in the improper sanitization of LDFLAGS directives used with cgo. The provided patch commit 356a419e2f811b65d227abcea1a346f8dcb154e0 modifies the regular expressions in validLinkerFlags within src/cmd/go/internal/work/security.go. These regexes are used by the checkLinkerFlags function in the same file to validate linker flags. The changes make the validation stricter, specifically for flags like -Wl,-O, -Wl,-e, and -Wl,-R, ensuring they are followed by mandatory arguments. This directly addresses the vulnerability described, where non-optional arguments were treated as optional, allowing flag smuggling. Therefore, cmd/go/internal/work.checkLinkerFlags is the function that, prior to the patch, would process and incorrectly sanitize the malicious input, making it the key vulnerable function in the runtime profile during exploitation.
Ongoing coverage of React2Shell