{"id":"CVE-2021-38561","details":"golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.","aliases":["GHSA-ppp9-7jff-5vj2","GO-2021-0113"],"modified":"2026-03-20T04:11:02.260502Z","published":"2022-12-26T06:15:10.560Z","related":["CGA-rxmv-qq37-m2jc","openSUSE-SU-2024:12599-1","openSUSE-SU-2024:14015-1"],"references":[{"type":"ADVISORY","url":"https://groups.google.com/g/golang-announce"},{"type":"ADVISORY","url":"https://pkg.go.dev/golang.org/x/text/language"},{"type":"FIX","url":"https://deps.dev/advisory/OSV/GO-2021-0113"},{"type":"FIX","url":"https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/golang/text","events":[{"introduced":"0"},{"fixed":"383b2e75a7a4198c42f8f87833eefb772868a56f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.3.7"}]}}],"versions":["v0.1.0","v0.2.0","v0.3.0","v0.3.1","v0.3.2","v0.3.3","v0.3.4","v0.3.5","v0.3.6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-38561.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}