CVE-2022-27536: 
NixOS vulnerability analysis and mitigation

CVE-2022-27536 affects Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1. The vulnerability can cause a panic on macOS when presented with certain malformed certificates, allowing a remote TLS server to cause a TLS client to crash (Golang Announce).

The vulnerability exists in the Certificate.Verify functionality within the crypto/x509 package of Go 1.18.x versions prior to 1.18.1. When verifying certificate chains containing certificates that are not compliant with RFC 5280 on macOS systems, the Certificate.Verify function can panic. These non-compliant certificate chains can be delivered through TLS connections (Golang Announce). The vulnerability has been assigned a CVSS score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition. Specifically, when a TLS client encounters malformed certificates during verification, it can cause the application to crash. This affects crypto/tls and net/http clients on macOS systems (Golang Announce, NetApp Advisory).

The vulnerability has been fixed in Go version 1.18.1. Users should upgrade to this version or later to address the issue. For systems that cannot be immediately upgraded, there are no known workarounds (Golang Announce, Gentoo Security).