usn-8089-2
Vulnerability from osv_ubuntu
Published
2026-03-31 17:13
Modified
2026-06-25 10:47
Summary
golang-golang-x-net-dev vulnerabilities
Details

USN-8089-1 fixed vulnerabilities in Go Networking. This update provides the corresponding update to code vendored in golang-golang-x-net-dev.

Original advisory details:

Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu discovered that servers using Go Networking could hang during shutdown if preempted by a fatal error. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-27664)

Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted stream could cause excessive CPU usage in Go Networking's HPACK decoder. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-41723)

Mohammad Thoriq Aziz discovered that Go Networking did not properly sanitize some text nodes. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-3978)

Sean Ng discovered an error in Go Networking's HTML tag handling. An attacker could possibly use this to cause a denial of service. (CVE-2025-22872)

Guido Vranken and Jakub Ciolek discovered that a maliciously crafted HTML document could exhaust system resources on servers using Go Networking. An attacker could possibly use this to cause a denial of service. (CVE-2025-47911)

Guido Vranken discovered that a maliciously crafted HTML document could put servers using Go Networking into an infinite loop. An attacker could possibly use this to cause a denial of service. (CVE-2025-58190)


{
  "affected": [
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2022-27664",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-41723",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2023-3978",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-22872",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-47911",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-58190",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:16.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "golang-go.net-dev",
            "binary_version": "1:0.0+git20160110.4fd4a9f-1ubuntu0.1~esm2"
          },
          {
            "binary_name": "golang-golang-x-net-dev",
            "binary_version": "1:0.0+git20160110.4fd4a9f-1ubuntu0.1~esm2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:16.04:LTS",
        "name": "golang-golang-x-net-dev",
        "purl": "pkg:deb/ubuntu/golang-golang-x-net-dev@1:0.0+git20160110.4fd4a9f-1ubuntu0.1~esm2?arch=source\u0026distro=esm-infra/xenial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:0.0+git20160110.4fd4a9f-1ubuntu0.1~esm2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0+git20150226.3d87fd6-3",
        "0.0+git20151007.b846920+dfsg-1",
        "1:0.0+git20150817.66f0418-1",
        "1:0.0+git20160110.4fd4a9f-1",
        "1:0.0+git20160110.4fd4a9f-1ubuntu0.1~esm1"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2022-27664",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-41723",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2023-3978",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-22872",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-47911",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-58190",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:18.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "golang-go.net-dev",
            "binary_version": "1:0.0+git20170629.c81e7f2+dfsg-2ubuntu0.1~esm2"
          },
          {
            "binary_name": "golang-golang-x-net-dev",
            "binary_version": "1:0.0+git20170629.c81e7f2+dfsg-2ubuntu0.1~esm2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:18.04:LTS",
        "name": "golang-golang-x-net-dev",
        "purl": "pkg:deb/ubuntu/golang-golang-x-net-dev@1:0.0+git20170629.c81e7f2+dfsg-2ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:0.0+git20170629.c81e7f2+dfsg-2ubuntu0.1~esm2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1:0.0+git20170629.c81e7f2+dfsg-1ubuntu1",
        "1:0.0+git20170629.c81e7f2+dfsg-1ubuntu2",
        "1:0.0+git20170629.c81e7f2+dfsg-2",
        "1:0.0+git20170629.c81e7f2+dfsg-2ubuntu0.1~esm1"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2021-33194",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-27664",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-41723",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2023-3978",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-22872",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-47911",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-58190",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:20.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "golang-go.net-dev",
            "binary_version": "1:0.0+git20190811.74dc4d7+dfsg-1ubuntu0.1~esm2"
          },
          {
            "binary_name": "golang-golang-x-net-dev",
            "binary_version": "1:0.0+git20190811.74dc4d7+dfsg-1ubuntu0.1~esm2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:20.04:LTS",
        "name": "golang-golang-x-net-dev",
        "purl": "pkg:deb/ubuntu/golang-golang-x-net-dev@1:0.0+git20190811.74dc4d7+dfsg-1ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:0.0+git20190811.74dc4d7+dfsg-1ubuntu0.1~esm2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1:0.0+git20190811.74dc4d7+dfsg-1",
        "1:0.0+git20190811.74dc4d7+dfsg-1ubuntu0.1~esm1"
      ]
    }
  ],
  "aliases": [],
  "details": "USN-8089-1 fixed vulnerabilities in Go Networking. This update provides\nthe corresponding update to code vendored in golang-golang-x-net-dev.\n\nOriginal advisory details:\n\n Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and\n Kaan Onarlioglu discovered that servers using Go Networking could hang\n during shutdown if preempted by a fatal error. An attacker could possibly\n use this to cause a denial of service. This issue only affected Ubuntu\n 22.04 LTS. (CVE-2022-27664)\n\n Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted\n stream could cause excessive CPU usage in Go Networking\u0027s HPACK decoder. An\n attacker could possibly use this to cause a denial of service. This issue\n only affected Ubuntu 22.04 LTS. (CVE-2022-41723)\n\n Mohammad Thoriq Aziz discovered that Go Networking did not properly\n sanitize some text nodes. An attacker could possibly use this to execute\n arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-3978)\n\n Sean Ng discovered an error in Go Networking\u0027s HTML tag handling. An\n attacker could possibly use this to cause a denial of service.\n (CVE-2025-22872)\n\n Guido Vranken and Jakub Ciolek discovered that a maliciously crafted HTML\n document could exhaust system resources on servers using Go Networking. An\n attacker could possibly use this to cause a denial of service.\n (CVE-2025-47911)\n\n Guido Vranken discovered that a maliciously crafted HTML document could put\n servers using Go Networking into an infinite loop. An attacker could\n possibly use this to cause a denial of service. (CVE-2025-58190)",
  "id": "USN-8089-2",
  "modified": "2026-06-25T10:47:32Z",
  "published": "2026-03-31T17:13:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-8089-2"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2021-33194"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2022-27664"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2022-41723"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2023-3978"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-22872"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-47911"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-58190"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "summary": "golang-golang-x-net-dev vulnerabilities",
  "upstream": [
    "UBUNTU-CVE-2021-33194",
    "UBUNTU-CVE-2022-27664",
    "UBUNTU-CVE-2022-41723",
    "UBUNTU-CVE-2023-3978",
    "UBUNTU-CVE-2025-22872",
    "UBUNTU-CVE-2025-47911",
    "UBUNTU-CVE-2025-58190"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…