CVE-2026-33811
Double-Free in Go DNS Resolver via Long CNAME Response
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | From 1.26.0 (inc) to 1.26.3 (exc) |
| golang | go | 1.26.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update your Go environment to a fixed version. The vulnerability was addressed in Go versions 1.25.10 and 1.26.3 and later.
- Upgrade your Go installation to version 1.25.10 or later, or 1.26.3 or later.
If upgrading immediately is not possible, avoid using the LookupCNAME function with the cgo DNS resolver on untrusted input or in environments where very long CNAME responses might be encountered.
Can you explain this vulnerability to me?
The vulnerability CVE-2026-33811 affects the Go standard library's net package, specifically the LookupCNAME function when used with the cgo DNS resolver.
A very long CNAME DNS response can trigger a double-free of C memory, which means the program attempts to free the same memory twice, leading to a crash.
This issue impacts certain Go versions before 1.25.10 and from 1.26.0 up to but not including 1.26.3, and it was fixed by updating the LookupCNAME function and related resolver code.
How can this vulnerability impact me? :
This vulnerability can cause a program using the affected Go versions and the LookupCNAME function with the cgo DNS resolver to crash unexpectedly.
Such crashes can lead to denial of service conditions, potentially disrupting applications or services that rely on DNS lookups via this function.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when using the LookupCNAME function with the cgo DNS resolver in affected Go versions. Detection involves identifying if your system is running a vulnerable Go version (before 1.25.10 or from 1.26.0-0 up to but not including 1.26.3) and if your applications use LookupCNAME with the cgo DNS resolver.
You can check the Go version installed on your system with the command:
- go version
To detect if your application uses LookupCNAME with the cgo DNS resolver, you may need to review your code or runtime behavior. Additionally, monitoring for crashes related to DNS lookups or double-free errors in logs could indicate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-33811 causes a double-free of C memory and a crash when using the LookupCNAME function with the cgo DNS resolver in Go. It results in a denial of service due to application crashes but does not directly impact confidentiality or integrity of data.
Since the vulnerability does not lead to data leakage, unauthorized access, or modification, it does not directly affect compliance with data protection standards such as GDPR or HIPAA, which focus on protecting personal and sensitive data.
However, the denial of service caused by this vulnerability could indirectly affect availability requirements under these regulations if critical systems relying on the vulnerable Go code become unavailable.