{"id":"GO-2024-2598","summary":"Verify panics on certificates with an unknown public key algorithm in crypto/x509","details":"Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.\n\nThis affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.","aliases":["BIT-golang-2024-24783","CVE-2024-24783"],"modified":"2026-02-04T03:12:08.722840Z","published":"2024-03-05T22:14:58Z","related":["CGA-94q3-qj9w-97jm","RHSA-2024:0045","RHSA-2024:2562","RHSA-2024:2724","RHSA-2024:3259","RHSA-2024:3346","RHSA-2024:3781","RHSA-2024:4023","RHSA-2024:4125","RHSA-2024:4893","RHSA-2024:5258","RHSA-2024:6186","RHSA-2024:6187","RHSA-2024:6188","RHSA-2024:6189","RHSA-2024:6194","RHSA-2024:6195","RHSA-2024:6969"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2598","review_status":"REVIEWED"},"references":[{"type":"REPORT","url":"https://go.dev/issue/65390"},{"type":"FIX","url":"https://go.dev/cl/569339"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.21.8"},{"introduced":"1.22.0-0"},{"fixed":"1.22.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["Certificate.Verify","Certificate.buildChains"],"path":"crypto/x509"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2598.json"}}],"schema_version":"1.7.3","credits":[{"name":"John Howard (Google)"}]}