{"id":"GO-2022-1037","summary":"Unbounded memory consumption when reading headers in archive/tar","details":"Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.","aliases":["BIT-golang-2022-2879","CVE-2022-2879"],"modified":"2026-03-17T04:29:12.794002Z","published":"2022-10-06T16:26:05Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2022-1037"},"references":[{"type":"REPORT","url":"https://go.dev/issue/54853"},{"type":"FIX","url":"https://go.dev/cl/439355"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.18.7"},{"introduced":"1.19.0-0"},{"fixed":"1.19.2"}]}],"ecosystem_specific":{"imports":[{"symbols":["Reader.Next","Reader.next","Writer.WriteHeader","Writer.writePAXHeader","parsePAX"],"path":"archive/tar"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-1037.json"}}],"schema_version":"1.7.5","credits":[{"name":"Adam Korczynski (ADA Logics)"},{"name":"OSS-Fuzz"}]}