{"id":"CVE-2023-23626","summary":"Denial of service when feeding malformed size arguments in go-bitfield","details":"go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`.\n","aliases":["GHSA-2h6c-j3gf-xp9r","GO-2023-1558"],"modified":"2026-04-02T08:49:18.051359Z","published":"2023-02-09T20:54:07.075Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23626.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-754"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23626.json"},{"type":"ADVISORY","url":"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23626"},{"type":"FIX","url":"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ipfs/go-bitfield","events":[{"introduced":"0"},{"fixed":"345bb295b923068375b7b171ffc4b0923abd1c11"}]}],"versions":["v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23626.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}