CVE-2024-24787

Summary

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

Affected Software

VendorProductVersion RangeStatus
Go toolchaincmd/go0 < 1.21.10affected
Go toolchaincmd/go1.22.0-0 < 1.22.3affected

Weaknesses

  • CWE 74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References