GHSA-vv6c-69r6-chg9
Go-Landlock in best-effort mode did not restrict TCP bind and connect operations correctly
Blast Radius
github.com/landlock-lsm/go-landlockReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
When using the recommended "best-effort" mode, Go-Landlock did not restrict the TCP bind() and connect() operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply:
- They use Landlock rulesets that are supposed to restrict networking (through
landlock.V4,landlock.V5, or self-configured). - These Landlock rulesets are used in best-effort mode.
Typically, affected code uses the Go-Landlock API like this (the crucial part being the combination of V4/V5 and .BestEffort()):
err := landlock.V5.BestEffort().Restrict(...)
- This is a bug in the Go-Landlock library and does not affect programs that use Landlock via C or other language bindings.
- The bug only affects networking restrictions. File system restrictions continue to work as expected.
Patches
Patched in: https://github.com/landlock-lsm/go-landlock/commit/fb3ad845df462d013f9c8a965c496617c6a5778b Users should upgrade to: v0.0.0-20241013234402-fb3ad845df46
Go package dependencies can be updated using go get -u from the project directory.
Projects on Github might get notified by Dependabot, once this advisory is public.
Workarounds
None.
References
Currently none.
The existing users of Go-Landlock on Github have the following bugs filed:
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/landlock-lsm/go-landlock | ≥ 0.0.0-20240109&&< 0.0.0-20241013234402-fb3ad845df46 | 0.0.0-20241013234402-fb3ad845df46 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/landlock-lsm/go-landlock. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/landlock-lsm/go-landlock to 0.0.0-20241013234402-fb3ad845df46 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-vv6c-69r6-chg9 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-vv6c-69r6-chg9 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-vv6c-69r6-chg9. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-vv6c-69r6-chg9 in your dependencies?
O3 detects GHSA-vv6c-69r6-chg9 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.