title: "x/vuln: issue title"
labels: ["vulncheck or vulndb"]
body:
  - type: markdown
    attributes:
      value: "Please answer these questions before submitting your issue. Thanks! To add a new vulnerability to the Go vulnerability database (https://vuln.go.dev), see https://go.dev/s/vulndb-report-new. To report an issue about a report, see https://go.dev/s/vulndb-report-feedback."
  - type: textarea

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: 1.24.x
          cached: false
      - name: Get official govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
        shell: bash
      - name: Run govulncheck
        run: govulncheck -show verbose ./...

outside of the safe formats, etc.) are not treated as vulnerabilities.

### Reporting process

Please use [Google Bug Hunters reporting form](https://g.co/vulnz) to report
security vulnerabilities. Please include the following information along with
your report:

  - A descriptive title
  - Your name and affiliation (if any).

	VXORV		V1, V2		// 42042771
	VNORV		V1, V2		// 42842771
	VANDNV		V1, V2		// 42042871
	VORNV		V1, V2		// 42842871

	// VANDB,VORB,VXORB,VNORB
	VANDB		$0, V2, V3      // 4300d073
	VORB		$64, V2, V3     // 4300d573
	VXORB		$128, V2, V3    // 4300da73
	VNORB		$255, V2, V3    // 43fcdf73
	VANDB		$0, V2		// 4200d073
	VORB		$64, V2		// 4200d573
	VXORB		$128, V2	// 4200da73
	VNORB		$255, V2	// 42fcdf73

	VLEIB	$15, $255, V0           // e70000fff040
	VLEIH	$7, $-32768, V15        // e7f080007041
	VLEIF	$2, $-43, V16           // e700ffd52843
	VLEIG	$1, $32767, V31         // e7f07fff1842
	VSLDB	$3, V1, V16, V18        // e72100030a77
	VERIMB	$2, V31, V1, V2         // e72f10020472
	VSEL	V1, V2, V3, V4          // e7412000308d
	VGFMAH	V21, V31, V24, V0       // e705f10087bc

VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 VSQ RED1, RED2, RED2 // Guaranteed not to underflow VSLDB $8, T1, T0, T0 VSLDB $8, T2, T1, T1 VACCQ T0, RED1, CAR1 VAQ T0, RED1, T0 VACCCQ T1, RED2, CAR1, CAR2 VACQ T1, RED2, CAR1, T1 VAQ T2, CAR2, T2 // Second round VPERM T1, T0, SEL1, RED2 // d1 d0 d1 d0 VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 VSQ RED1, RED2, RED2 // Guaranteed not to underflow VSLDB $8, T1, T0, T0 VSLDB $8, T2, T1, T1 VACCQ T0, RED1, CAR1 VAQ T0, RED1, T0 VACCCQ T1, RED2, CAR1, CAR2 VACQ T1,...

VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 VSQ RED1, RED2, RED2 // Guaranteed not to underflow VSLDB $8, T1, T0, T0 VSLDB $8, T2, T1, T1 VACCQ T0, RED1, CAR1 VAQ T0, RED1, T0 VACCCQ T1, RED2, CAR1, CAR2 VACQ T1, RED2, CAR1, T1 VAQ T2, CAR2, T2 // Second round VPERM T1, T0, SEL1, RED2 // d1 d0 d1 d0 VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 VSQ RED1, RED2, RED2 // Guaranteed not to underflow VSLDB $8, T1, T0, T0 VSLDB $8, T2, T1, T1 VACCQ T0, RED1, CAR1 VAQ T0, RED1, T0 VACCCQ T1, RED2, CAR1, CAR2 VACQ T1,...

  CVE-2021-29923 golang standard library "net" - Improper Input Validation of octal literals in golang 1.16.2 and below standard library "net" results in indeterminate SSRF & RFI vulnerabilities.
  Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-29923 ([#104368](https://github.com/kubernetes/kubernetes/pull/104368), [@aojea](https://github.com/aojea))

## Security

* TF is currently using giflib 5.2.1 which has [CVE-2022-28506](https://nvd.nist.gov/vuln/detail/CVE-2022-28506). TF is not affected by the CVE as it does not use `DumpScreen2RGB` at all.