CVE-2023-23626: 
vulnerability analysis and mitigation

CVE-2023-23626 affects go-bitfield, a simple bitfield package for the Go programming language that aims to be more performant than the standard library. The vulnerability was discovered and disclosed on February 9, 2023. The issue affects versions up to (excluding) 1.1.0 of the package (NVD, GitHub Advisory).

The vulnerability occurs when untrusted user input is fed into the size parameter of NewBitfield and FromBytes functions. The functions can trigger panics when the size parameter is not a multiple of 8 or is negative. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NVD with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while GitHub assessed it as 5.9 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can lead to Denial of Service (DoS) conditions through application panics when processing malformed size arguments. The impact is limited to availability, with no direct effects on confidentiality or integrity (GitHub Advisory).

Users are advised to upgrade to version 1.1.0 or later. For those unable to upgrade, a workaround is available by ensuring that the size parameter is both non-negative and a multiple of 8 before calling NewBitfield or FromBytes functions. The fix involves modifying the functions to return errors instead of panicking when invalid input is provided (GitHub Advisory).