CVE-2022-41716

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string A=Bx00C=D sets the variables A=B and C=D.

Affected Software

Name	Vendor	Start Version	End Version
Go	Golang	*	1.18.8 (excluding)
Go	Golang	1.19.0 (including)	1.19.3 (excluding)
Golang	Ubuntu	trusty	*
Golang	Ubuntu	xenial	*
Golang-1.10	Ubuntu	bionic	*
Golang-1.10	Ubuntu	trusty	*
Golang-1.10	Ubuntu	trusty/esm	*
Golang-1.10	Ubuntu	xenial	*
Golang-1.13	Ubuntu	bionic	*
Golang-1.13	Ubuntu	kinetic	*
Golang-1.13	Ubuntu	xenial	*
Golang-1.16	Ubuntu	bionic	*
Golang-1.16	Ubuntu	trusty	*
Golang-1.16	Ubuntu	xenial	*
Golang-1.17	Ubuntu	trusty	*
Golang-1.17	Ubuntu	xenial	*
Golang-1.18	Ubuntu	bionic	*
Golang-1.18	Ubuntu	trusty	*
Golang-1.18	Ubuntu	xenial	*
Golang-1.19	Ubuntu	kinetic	*
Golang-1.19	Ubuntu	lunar	*
Golang-1.19	Ubuntu	trusty	*
Golang-1.19	Ubuntu	xenial	*
Golang-1.20	Ubuntu	lunar	*
Golang-1.20	Ubuntu	mantic	*
Golang-1.20	Ubuntu	trusty	*
Golang-1.20	Ubuntu	xenial	*
Golang-1.6	Ubuntu	trusty	*
Golang-1.6	Ubuntu	xenial	*
Golang-1.8	Ubuntu	bionic	*
Golang-1.9	Ubuntu	bionic	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-41716
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html

Affected Software

References