{"id":"GO-2022-0289","summary":"Misdirected I/O in syscall","details":"When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.\n\nFor users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.","aliases":["BIT-golang-2021-44717","CVE-2021-44717"],"modified":"2026-03-17T04:13:59.719986Z","published":"2022-05-18T18:23:23Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2022-0289"},"references":[{"type":"FIX","url":"https://go.dev/cl/370576"},{"type":"FIX","url":"https://go.googlesource.com/go/+/a76511f3a40ea69ee4f5cd86e735e1c8a84f0aa2"},{"type":"REPORT","url":"https://go.dev/issue/50057"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/hcmEScgc00k"},{"type":"FIX","url":"https://go.dev/cl/370577"},{"type":"FIX","url":"https://go.dev/cl/370795"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.16.12"},{"introduced":"1.17.0-0"},{"fixed":"1.17.5"}]}],"ecosystem_specific":{"imports":[{"symbols":["ForkExec"],"path":"syscall"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0289.json"}}],"schema_version":"1.7.5","credits":[{"name":"Tomasz Maczukin"},{"name":"Kamil Trzciński of GitLab"}]}