CVE-2022-41715: 
Docker vulnerability analysis and mitigation

CVE-2022-41715 is a vulnerability in the Go programming language's regular expression parsing functionality, discovered and disclosed in September 2022. The vulnerability affects programs that compile regular expressions from untrusted sources, making them susceptible to memory exhaustion or denial of service attacks. While the parsed regexp representation maintains linear size relative to input, the constant factor could reach up to 40,000, causing relatively small regular expressions to consume disproportionately large amounts of memory (Go Issue, Go Announce).

The vulnerability exists in the regexp/syntax package of Go, where the parsing of regular expressions could lead to excessive memory consumption. The issue stems from the parsed regexp representation having a constant factor that could be as high as 40,000 times the input size. After the fix, each regexp being parsed is now limited to a 256 MB memory footprint, with expressions exceeding this limit being rejected. The vulnerability was discovered by Adam Korczynski from ADA Logics and OSS-Fuzz (CVE Details, Go Vuln).

The primary impact of this vulnerability is the potential for denial of service through memory exhaustion. When processing regular expressions from untrusted sources, affected systems could experience excessive memory consumption, potentially leading to resource exhaustion or system crashes. However, normal use of regular expressions remains unaffected by this vulnerability (NVD).

The vulnerability was patched in Go versions 1.19.2 and 1.18.7. The fix implements a 256 MB memory limit for regexp parsing, automatically rejecting regular expressions that would exceed this limit. Users are advised to upgrade to these versions or later to mitigate the vulnerability (Go Announce).