{"id":"CVE-2024-9355","details":"A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.","aliases":["GHSA-3h3x-2hwv-hr52","GO-2024-3167"],"modified":"2026-03-15T22:49:59.767957Z","published":"2024-10-01T19:15:09.793Z","related":["ALSA-2024:7502","ALSA-2024:7550","ALSA-2024:8327","ALSA-2024:8678","ALSA-2024:8847","ALSA-2025:7118","ALSA-2025:7256","SUSE-SU-2024:3911-1","openSUSE-SU-2024:0350-1","openSUSE-SU-2024:14447-1"],"references":[{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2024-9355"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:7502"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8847"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:9551"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:7256"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:7624"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:10133"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:7550"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8327"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8678"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:2416"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:7118"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2315719"},{"type":"FIX","url":"https://github.com/golang-fips/openssl/pull/198"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-9355.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"}]}