Panic on large handshake records in crypto/tls

GO-2023-1570 · BIT-golang-2022-41724 · CVE-2022-41724

Published Feb 16, 2023 · Modified Feb 4, 2026

Description

Large handshake records may cause panics in crypto/tls.

Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses.

This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

References

REPORT https://go.dev/issue/58001
FIX https://go.dev/cl/468125
WEB https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes