CVE-2022-23772 in Googleinfo

Summary

by MITRE • 02/11/2022

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/12/2025

The vulnerability identified as CVE-2022-23772 resides within the math/big package of the Go programming language, specifically affecting the Rat.SetString function. This issue manifests as an integer overflow condition that can be exploited to cause uncontrolled memory consumption, representing a significant security concern for applications relying on arbitrary precision arithmetic operations. The vulnerability impacts Go versions prior to 1.16.14 and 1.17.x prior to 1.17.7, leaving a substantial portion of the Go ecosystem exposed to potential exploitation. The flaw occurs when processing certain string inputs through the Rat.SetString function, which is responsible for parsing rational numbers from string representations.

The technical implementation of this vulnerability stems from inadequate input validation within the Rat.SetString function's handling of string representations of rational numbers. When processing malformed or specially crafted input strings, the function fails to properly check for integer overflow conditions in its internal arithmetic operations. This overflow allows the function to allocate excessive memory resources, potentially leading to memory exhaustion attacks that can cause application crashes or denial of service conditions. The vulnerability operates at the level of the Go runtime's big integer and rational number handling mechanisms, making it particularly dangerous for applications that process untrusted input through these functions.

The operational impact of CVE-2022-23772 extends beyond simple denial of service scenarios, as it can be leveraged to consume system resources at an exponential rate. Applications using Go's math/big package for processing user input, parsing configuration files, or handling network data are at risk of memory exhaustion when encountering maliciously crafted inputs. This vulnerability aligns with CWE-190, Integer Overflow or Wraparound, and can be mapped to ATT&CK technique T1499.004 for resource exhaustion attacks. The vulnerability's exploitation potential increases significantly in environments where Go applications process untrusted data from external sources, such as web applications, network services, or data processing systems that rely on arbitrary precision arithmetic.

Mitigation strategies for CVE-2022-23772 require immediate upgrades to Go versions 1.16.14 or 1.17.7 and later, which contain the necessary patches to address the integer overflow condition. Organizations should also implement input validation measures to sanitize data before processing through Rat.SetString functions, particularly when handling external or untrusted inputs. Additional defensive measures include monitoring memory consumption patterns, implementing resource limits on affected applications, and conducting thorough code reviews to identify all potential usage of the vulnerable function. Security teams should prioritize patching affected systems and monitoring for exploitation attempts, as the vulnerability can be exploited remotely through network services that accept string input for rational number parsing.

Sources

Want to know what is going to be exploited?

We predict KEV entries!