CVE-2024-9355
MEDIUM EPSS 21.4%
Published Oct 1, 20241y ago · Modified Jun 18, 20261w ago
6.5 CVSS 3.1
Published Oct 1, 2024 1y ago
Last Modified Jun 18, 2026 1w ago
Description
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability Low
Threat Intelligence
EPSS Exploit Probability
21.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-457
References 14
- access.redhat.com https://access.redhat.com/errata/RHSA-2024:10133
- access.redhat.com https://access.redhat.com/errata/RHSA-2024:7502
- access.redhat.com https://access.redhat.com/errata/RHSA-2024:7550
- access.redhat.com https://access.redhat.com/errata/RHSA-2024:8327
- access.redhat.com https://access.redhat.com/errata/RHSA-2024:8678
- access.redhat.com https://access.redhat.com/errata/RHSA-2024:8847
- access.redhat.com https://access.redhat.com/errata/RHSA-2024:9551
- access.redhat.com https://access.redhat.com/errata/RHSA-2025:2416
- access.redhat.com https://access.redhat.com/errata/RHSA-2025:7118
- access.redhat.com https://access.redhat.com/errata/RHSA-2025:7256
- access.redhat.com https://access.redhat.com/errata/RHSA-2025:7624
- access.redhat.com https://access.redhat.com/security/cve/CVE-2024-9355
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2315719
- github.com https://github.com/golang-fips/openssl/pull/198
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.