{"id":"USN-8089-1","summary":"golang-golang-x-net vulnerabilities","details":"Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and\nKaan Onarlioglu discovered that servers using Go Networking could hang\nduring shutdown if preempted by a fatal error. An attacker could possibly\nuse this to cause a denial of service. This issue only affected Ubuntu\n22.04 LTS. (CVE-2022-27664)\n\nArpad Ryszka and Jakob Ackermann discovered that a maliciously crafted\nstream could cause excessive CPU usage in Go Networking's HPACK decoder. An\nattacker could possibly use this to cause a denial of service. This issue\nonly affected Ubuntu 22.04 LTS. (CVE-2022-41723)\n\nMohammad Thoriq Aziz discovered that Go Networking did not properly\nsanitize some text nodes. An attacker could possibly use this to execute\narbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-3978)\n\nSean Ng discovered an error in Go Networking's HTML tag handling. An\nattacker could possibly use this to cause a denial of service.\n(CVE-2025-22872)\n\nGuido Vranken and Jakub Ciolek discovered that a maliciously crafted HTML\ndocument could exhaust system resources on servers using Go Networking. An\nattacker could possibly use this to cause a denial of service.\n(CVE-2025-47911)\n\nGuido Vranken discovered that a maliciously crafted HTML document could put\nservers using Go Networking into an infinite loop. An attacker could\npossibly use this to cause a denial of service. (CVE-2025-58190)","modified":"2026-04-27T18:42:15.231763Z","published":"2026-03-12T16:28:11Z","related":["UBUNTU-CVE-2022-27664","UBUNTU-CVE-2022-41723","UBUNTU-CVE-2023-3978","UBUNTU-CVE-2025-22872","UBUNTU-CVE-2025-47911","UBUNTU-CVE-2025-58190"],"upstream":["CVE-2022-27664","CVE-2022-41723","CVE-2023-3978","CVE-2025-22872","CVE-2025-47911","CVE-2025-58190","UBUNTU-CVE-2022-27664","UBUNTU-CVE-2022-41723","UBUNTU-CVE-2023-3978","UBUNTU-CVE-2025-22872","UBUNTU-CVE-2025-47911","UBUNTU-CVE-2025-58190"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8089-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-27664"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-41723"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-3978"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-22872"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-47911"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-58190"}],"affected":[{"package":{"name":"golang-golang-x-net","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/golang-golang-x-net@1:0.0+git20211209.491a49a+dfsg-1ubuntu0.1~esm2?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:0.0+git20211209.491a49a+dfsg-1ubuntu0.1~esm2"}]}],"versions":["1:0.0+git20210119.5f4716e+dfsg-4","1:0.0+git20210805.aaa1db6+dfsg-1","1:0.0+git20211209.491a49a+dfsg-1","1:0.0+git20211209.491a49a+dfsg-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-golang-x-net-dev","binary_version":"1:0.0+git20211209.491a49a+dfsg-1ubuntu0.1~esm2"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:22.04:LTS","cves":[{"id":"CVE-2022-27664","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2022-41723","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2023-3978","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-22872","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-47911","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-58190","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8089-1.json"}},{"package":{"name":"golang-golang-x-net","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/golang-golang-x-net@1:0.21.0+dfsg-1ubuntu0.1~esm2?arch=source&distro=esm-apps/noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:0.21.0+dfsg-1ubuntu0.1~esm2"}]}],"versions":["1:0.10.0-1","1:0.17.0+dfsg-1","1:0.20.0+dfsg-1","1:0.21.0+dfsg-1","1:0.21.0+dfsg-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-golang-x-net-dev","binary_version":"1:0.21.0+dfsg-1ubuntu0.1~esm2"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:24.04:LTS","cves":[{"id":"CVE-2025-22872","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-47911","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-58190","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8089-1.json"}}],"schema_version":"1.7.5"}