Go — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/go/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 15 Apr 2026 12:00:00 +0000Go Markdown Library Out-of-Bounds Read Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-gomarkdown-oob-read/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-gomarkdown-oob-read/A vulnerability in the go-markdown library exists where processing a malformed input containing a '<' character that is not followed by a '>' character with a SmartypantsRenderer can lead to an out-of-bounds read or a panic, causing a denial of service.The go-markdown library, specifically versions prior to 0.0.0-20260411013819-759bbc3e3207, is susceptible to an out-of-bounds read vulnerability. This flaw is triggered when the SmartypantsRenderer processes malformed markdown input containing a < character that is not subsequently closed by a > character within the remaining text. The vulnerability resides within the smartLeftAngle() function in html/smartypants.go. Exploitation of this vulnerability leads to either an out-of-bounds read (if the slice length is less than its capacity) or a panic (if the slice length equals its capacity), ultimately resulting in a denial of service. This issue affects applications utilizing the vulnerable versions of the go-markdown library for markdown processing.

Attack Chain

  1. An attacker crafts a malicious markdown input string containing an unclosed < tag (e.g., <a).
  2. The application receives the crafted markdown input for processing.
  3. The application uses the go-markdown library with the SmartypantsRenderer enabled to render the markdown input.
  4. The SmartypantsRenderer calls the smartLeftAngle() function in html/smartypants.go to handle the < character.
  5. The smartLeftAngle() function encounters the unclosed < tag, triggering the out-of-bounds read due to missing > character.
  6. Depending on the slice’s length and capacity, the program either reads an extra byte of data (if length < capacity) or panics (if length == capacity).
  7. The application crashes due to the panic or becomes unstable due to the out-of-bounds read.
  8. Service availability is disrupted, resulting in a denial-of-service condition.

Impact

Successful exploitation of this vulnerability leads to a denial of service. Any service using the vulnerable go-markdown library to process potentially malicious markdown input is susceptible to crashing or becoming unstable. The impact is a loss of availability for the affected service. While the specific number of affected services or sectors is not mentioned in the source, any application relying on go-markdown is potentially vulnerable.

Recommendation

  • Upgrade the go-markdown library to version 0.0.0-20260411013819-759bbc3e3207 or later to patch the vulnerability as detailed in the overview.
  • Implement input validation to sanitize or reject markdown input containing unclosed < tags. This mitigates the risk even if the vulnerable library is used.
  • Monitor application logs for unexpected panics or errors originating from the go-markdown library, specifically around markdown rendering routines.
]]>highadvisorymarkdowndenial-of-servicegoout-of-bounds read