A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
CVE-2023-39326
Score 5.3 from GitHub Security Advisory published 2023-12-06. NVD baseline CVSS 5.3; sources differ by 0.0.
- Lower severity and no public exploit yet
A fix is available — apply it.
- CVSS v3
- 5.3
- EG Score
- 5.3(medium)
- EPSS
- 64.7%
- KEV
- Not listed
Published
December 6, 2023
Last Modified
November 21, 2024
References (10)
- security@golanghttps://go.dev/cl/547335
- security@golanghttps://go.dev/issue/64433
- security@golanghttps://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
- security@golanghttps://lists.fedoraproject.org/archives/list/[email protected]/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/
- security@golanghttps://pkg.go.dev/vuln/GO-2023-2382
- af854a3a-2127-422b-91ae-364da2661108https://go.dev/cl/547335
- af854a3a-2127-422b-91ae-364da2661108https://go.dev/issue/64433
- af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
- af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/[email protected]/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/
- af854a3a-2127-422b-91ae-364da2661108https://pkg.go.dev/vuln/GO-2023-2382
Vendor Advisories for CVE-2023-39326(20)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2024:3868Red Hat Product SecurityHigh
Red Hat Security Advisory: Network Observability 1.6.0 for OpenShift
- RHSA-2024:3479Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 director Operator container images security update
- RHSA-2024:2728Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat OpenStack Platform 17.1 director Operator container images security update
- RHSA-2024:3467Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat OpenStack Platform 16.1 (etcd) security update
- RHSA-2024:3352Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (etcd) security update
- RHSA-2024:3316Red Hat Product SecurityHigh
Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update
- RHSA-2024:2730Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat OpenStack Platform 17.1 (collectd-sensubility) security update
- RHSA-2024:2729Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat OpenStack Platform 17.1 (etcd) security update
- +12 more
Patch Availability(29)
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Go(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| stdlib | — | 1.21.5 | — |
Additional Vendor Advisories
(20)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Microsoft MSRCCVE-2023-393262025-09-04
Denial of service via chunk extensions in net/http
- Red HatRHSA-2023:7198MODERATE2023-12-06
RHSA-2023:7198 — Moderate
- Red HatRHSA-2023:7200MODERATE2023-12-06
RHSA-2023:7200 — Moderate
- Red HatRHSA-2023:7201MODERATE2023-12-06
RHSA-2023:7201 — Moderate
- Red HatRHSA-2024:0269MODERATE2023-12-06
RHSA-2024:0269 — Moderate
- Red HatRHSA-2024:0281MODERATE2023-12-06
RHSA-2024:0281 — Moderate
- Red HatRHSA-2024:0530MODERATE2023-12-06
RHSA-2024:0530 — Moderate
- Red HatRHSA-2024:0694MODERATE2023-12-06
RHSA-2024:0694 — Moderate
- Red HatRHSA-2024:0695MODERATE2023-12-06
RHSA-2024:0695 — Moderate
- Red HatRHSA-2024:0728MODERATE2023-12-06
RHSA-2024:0728 — Moderate
- Red HatRHSA-2024:0748MODERATE2023-12-06
RHSA-2024:0748 — Moderate
- Red HatRHSA-2024:0843MODERATE2023-12-06
RHSA-2024:0843 — Moderate
- Red HatRHSA-2024:0880MODERATE2023-12-06
RHSA-2024:0880 — Moderate
- Red HatRHSA-2024:0887MODERATE2023-12-06
RHSA-2024:0887 — Moderate
- Red HatRHSA-2024:1041MODERATE2023-12-06
RHSA-2024:1041 — Moderate
- Red HatRHSA-2024:1078MODERATE2023-12-06
RHSA-2024:1078 — Moderate
- Red HatRHSA-2024:1131MODERATE2023-12-06
RHSA-2024:1131 — Moderate
- Red HatRHSA-2024:1149MODERATE2023-12-06
RHSA-2024:1149 — Moderate
- Red HatRHSA-2024:1244MODERATE2023-12-06
RHSA-2024:1244 — Moderate
- Red HatRHSA-2024:1434MODERATE2023-12-06
RHSA-2024:1434 — Moderate
Data Freshness Timeline
(refreshed 9× in last 7d / 45× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:26 UTCEPSS rescore
- 2026-07-11 08:26 UTCEPSS rescore
- 2026-07-09 19:08 UTCEPSS rescore
- 2026-07-08 15:13 UTCEPSS rescore
- 2026-07-07 13:44 UTCEPSS rescore
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 02:22 UTCEPSS rescore
- 2026-07-05 02:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-01 15:05 UTCEPSS rescore
- 2026-06-30 23:21 UTCEPSS rescore
- 2026-06-30 23:21 UTCEPSS rescore
- 2026-06-29 14:05 UTCEPSS rescore
- 2026-06-28 04:55 UTCEPSS rescore
- 2026-06-28 04:55 UTCEPSS rescore
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-27 02:39 UTCOSV refresh
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
Show 62 moreShow fewer
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-15 17:47 UTCEPSS rescore
- 2026-06-15 17:47 UTCEPSS rescore
- 2026-06-14 23:16 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-11 13:59 UTCEPSS rescore
- 2026-06-11 13:59 UTCEPSS rescore
- 2026-06-10 22:17 UTCEPSS rescore
- 2026-06-10 13:21 UTCEPSS rescore
- 2026-06-10 13:21 UTCEPSS rescore
- 2026-06-09 13:17 UTCOSV refresh
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-02 20:12 UTCEPSS rescore
- 2026-06-02 20:12 UTCEPSS rescore
- 2026-06-02 20:12 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:43 UTCEPSS rescore
- 2026-05-29 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-24 16:52 UTCEPSS rescore
- 2026-05-24 12:40 UTCEG score recompute
- 2026-05-24 12:40 UTCVendor advisory
- 2026-05-24 12:40 UTCGHSA enrichment
Frequently asked(5)
What is CVE-2023-39326?
When was CVE-2023-39326 disclosed?
Is CVE-2023-39326 actively exploited?
What is the CVSS score of CVE-2023-39326?
How do I remediate CVE-2023-39326?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2023-39326
Is Your Infrastructure Affected by CVE-2023-39326?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.