CVE-2023-29405

Name: CVE-2023-29405
Creator: NVD / NIST
Published: 2023-06-08T21:15:17.197+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 1.73%

Last modified Jun 17, 2026

CVE-2023-29405 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. EPSS estimates a 1.73% chance of exploitation in the next 30 days.

Description

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.73%

74.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-74

Affected Software

Vendor	Product	Versions
Golang	Go	< 1.19.10
Golang	Go	>= 1.20.0, < 1.20.5
Fedoraproject	Fedora	38

References

https://go.dev/cl/501224Patch
https://go.dev/issue/60306Issue Tracking
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/Mailing List
https://pkg.go.dev/vuln/GO-2023-1842Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://go.dev/cl/501224Patch
https://go.dev/issue/60306Issue Tracking
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/Mailing List
https://pkg.go.dev/vuln/GO-2023-1842Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20241206-0003/

Timeline

Published: Jun 8, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-29405?

How severe is CVE-2023-29405?

CVE-2023-29405 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 1.73% probability of exploitation in the next 30 days.

How do I fix CVE-2023-29405?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-29405?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST