CVE-2018-17142

HIGH

golang/net < 2018-09-17 - Use-After-Free in HTML Parser

Title source: llm

Description

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/golang/go/issues/27702

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK/

Scores

CVSS v3 7.5

EPSS 0.0065

EPSS Percentile 71.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-476

Status published

Products (4)

fedoraproject/fedora 28

fedoraproject/fedora 29

golang/net < 2018-09-17

x/net 0 - 0.0.0-20180925071336-cf3bd585ca2aGo

Published Sep 17, 2018

Tracked Since Feb 18, 2026