What is CVE-2021-27918?

CVE-2021-27918 is an infinite loop vulnerability found in Golang versions before 1.15.9 and 1.16.x before 1.16.1.

What is the severity of CVE-2021-27918?

CVE-2021-27918 has a severity level of high.

How does CVE-2021-27918 affect the software?

CVE-2021-27918 affects Golang versions before 1.15.9 and 1.16.x before 1.16.1, as well as certain versions of openshift-serverless-clients.

How can I fix CVE-2021-27918?

To fix CVE-2021-27918, update your Golang installation to version 1.15.9 or higher.

Where can I find more information about CVE-2021-27918?

You can find more information about CVE-2021-27918 at the following references: [CVE-2021-27918](https://www.cve.org/CVERecord?id=CVE-2021-27918), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-27918), [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1937901), [Red Hat Advisory](https://access.redhat.com/errata/RHSA-2021:2705).

Vulnerability/
CVE-2021-27918

high

7.5

CWE

835

10/3/2021

1/10/2024

CVE-2021-27918

First published: Wed Mar 10 2021(Updated: )

An infinite loop vulnerability was found in golang. If an application defines a custom token parser initializing with `xml.NewTokenDecoder` it is possible for the parsing loop to never return. An attacker could potentially craft a malicious XML document which has an XML element with `EOF` within it, causing the parsing application to endlessly loop, resulting in a Denial of Service (DoS).

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/go	<1.15.9	1.15.9
redhat/go	<1.16.1	1.16.1
redhat/openshift-serverless-clients	<0:0.22.0-3.el8	0:0.22.0-3.el8
redhat/openshift-serverless-clients	<0:0.23.2-1.el8	0:0.23.2-1.el8
Golang Go	<1.15.9
Golang Go	>=1.16.0<1.16.1
IBM Cloud Pak for Security	<=1.10.0.0 - 1.10.11.0
IBM QRadar Suite Software	<=1.10.12.0 - 1.10.16.0

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2021-27918?
CVE-2021-27918 is an infinite loop vulnerability found in Golang versions before 1.15.9 and 1.16.x before 1.16.1.
What is the severity of CVE-2021-27918?
CVE-2021-27918 has a severity level of high.
How does CVE-2021-27918 affect the software?
CVE-2021-27918 affects Golang versions before 1.15.9 and 1.16.x before 1.16.1, as well as certain versions of openshift-serverless-clients.
How can I fix CVE-2021-27918?
To fix CVE-2021-27918, update your Golang installation to version 1.15.9 or higher.
Where can I find more information about CVE-2021-27918?
You can find more information about CVE-2021-27918 at the following references: [CVE-2021-27918](https://www.cve.org/CVERecord?id=CVE-2021-27918), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-27918), [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1937901), [Red Hat Advisory](https://access.redhat.com/errata/RHSA-2021:2705).

collector/redhat-cve
collector/nvd-index
agent/type
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/references
agent/severity
agent/weakness
agent/author
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2021-27918
agent/software-canonical-lookup
agent/event
collector/ibm-support
source/IBM
agent/tags
agent/description
collector/mitre-cve
source/MITRE
package-manager/redhat
vendor/golang
canonical/golang go
version/golang go/1.16.0
vendor/ibm
canonical/ibm cloud pak for security
version/ibm cloud pak for security/1.10.0.0 - 1.10.11.0
canonical/ibm qradar suite software
version/ibm qradar suite software/1.10.12.0 - 1.10.16.0