CVE-2020-8945 in proglottis Go Wrapper
Summary
by MITRE
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/30/2025
The vulnerability identified as CVE-2020-8945 affects the proglottis Go wrapper for the GPGME library, specifically versions prior to 0.1.1. This issue represents a critical use-after-free condition that can be exploited during GPG signature verification processes, particularly when container image pulls are executed through Docker or CRI-O container runtimes. The proglottis wrapper serves as an interface between Go applications and the underlying GPGME cryptographic library, which is responsible for handling OpenPGP operations including signature verification.
The technical flaw manifests as a use-after-free vulnerability classified under CWE-416, where memory that has been freed is subsequently accessed by the application. This occurs during the GPG signature verification process when the proglottis wrapper manages the lifecycle of GPGME objects. When container images are pulled and their signatures validated, the wrapper may prematurely free memory structures while other operations are still referencing them, creating a scenario where subsequent memory access can result in undefined behavior. The vulnerability is particularly concerning because it can be triggered through legitimate container image pull operations, making it difficult to distinguish between normal application behavior and exploitation attempts.
The operational impact of this vulnerability extends beyond simple application crashes to potentially enable remote code execution within the context of the container runtime process. When Docker or CRI-O perform signature verification on container images, they invoke the proglottis wrapper which handles the cryptographic operations. An attacker could craft a malicious container image with a specially crafted GPG signature that, when processed by the vulnerable wrapper, triggers the use-after-free condition. This could result in memory corruption that allows for arbitrary code execution, potentially escalating privileges or compromising the entire container runtime environment. The vulnerability affects the security posture of containerized applications and could be exploited in supply chain attacks where malicious images are pulled and verified.
Mitigation strategies for CVE-2020-8945 focus on immediate version updates to proglottis 0.1.1 or later, which contain the necessary memory management fixes to prevent the use-after-free condition. Organizations should prioritize patching container runtimes and any applications that utilize the affected proglottis wrapper, particularly those involved in image verification processes. The ATT&CK framework categorizes this vulnerability under T1059.001 (Command and Scripting Interpreter: PowerShell) and T1203 (Exploitation for Client Execution) when considering how attackers might leverage such memory corruption vulnerabilities for privilege escalation. Additionally, implementing runtime monitoring and memory integrity checks can help detect exploitation attempts. Organizations should also consider isolating container image verification processes and implementing strict image signing policies to reduce the attack surface. The vulnerability highlights the importance of proper memory management in cryptographic libraries and underscores the need for thorough security testing of wrapper libraries that interface between high-level languages and security-critical C libraries.