What is GHSA-p93v-m2r2-4387?

GHSA-p93v-m2r2-4387 is a security advisory published by GitHub Security Advisories with Medium severity. Denial of service via insufficient metadata validation

Why does GHSA-p93v-m2r2-4387 have no CVE ID yet?

GitHub Security Advisories published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

Which products are affected by GHSA-p93v-m2r2-4387?

GHSA-p93v-m2r2-4387 affects 1 product, including: go/github.com/google/fscrypt:\u003c 0.3.3.

GHSA-p93v-m2r2-4387MediumDisclosed before NVD

Denial of service via insufficient metadata validation

Vendor

GitHub Security Advisories

Published

March 1, 2022

Last Modified

June 8, 2026

📋 Description

The PAM module for fscrypt through v0.3.2 doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to v0.3.3 or above.

For more details, see CVE-2022-25327.

🎯 Affected products1

go/github.com/google/fscrypt:< 0.3.3

🔗 References (4)

https://github.com/google/fscrypt/security/advisories/GHSA-p93v-m2r2-4387
https://github.com/google/fscrypt/commit/91aa3ebf42032ca783c41f9ec25d885875f66ddb
https://pkg.go.dev/vuln/GO-2022-0340
https://github.com/advisories/GHSA-p93v-m2r2-4387