CVE-2019-17596

HIGH

GO < 1.12.11 - Interpretation Conflict

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-17596. PoCs published by pquerna.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2019-17596, demonstrating a denial-of-service (DoS) vulnerability in Go's DSA verification implementation. The exploit triggers a panic in `dsa.Verify` by manipulating DSA signature parameters, affecting versions of Go prior to 1.13.2.

Description

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

Exploits (1)

nomisec WORKING POC 1 stars
by pquerna · poc
https://github.com/pquerna/poc-dsa-verify-CVE-2019-17596

This repository contains a functional proof-of-concept exploit for CVE-2019-17596, demonstrating a denial-of-service (DoS) vulnerability in Go's DSA verification implementation. The exploit triggers a panic in `dsa.Verify` by manipulating DSA signature parameters, affecting versions of Go prior to 1.13.2.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Go (versions < 1.13.2)
No auth needed
Prerequisites: A vulnerable version of Go (< 1.13.2) · Ability to execute Go code or establish an SSH connection with a malicious host key
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (13)

Core 13
Core References
Release Notes, Third Party Advisory x_refsource_confirm
https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/golang/go/issues/34960
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4551
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20191122-0005/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0101
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0329
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html

Scores

CVSS v3 7.5
EPSS 0.0469
EPSS Percentile 90.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-436
Status published
Products (17)
arista/cloudvision_portal 2019.1.0
arista/cloudvision_portal 2019.1.1
arista/cloudvision_portal 2019.1.2
arista/cloudvision_portal 2018.1.0 - 2018.2.3
arista/eos < 4.23.1f
arista/mos < 0.25
arista/terminattr < 1.7.2
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 30
... and 7 more
Published Oct 24, 2019
Tracked Since Feb 18, 2026