CVE-2026-39820
Undergoing Analysis Undergoing Analysis - In Progress
Excessive CPU and Memory Allocation in Go's Parse Functions

Publication date: 2026-05-07

Last updated on: 2026-05-08

Assigner: Go Project

Description
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-39820
EUVD
EUVD-2026-28423
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
golang go to 1.26.0 (exc)
golang go From 1.26.0 (inc) to 1.26.3 (exc)
golang go 1.27
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Go standard library's net/mail package, specifically in functions like ParseAddress, ParseAddressList, and ParseDate.

Well-crafted inputs can cause these functions to trigger excessive CPU exhaustion and memory allocations due to a performance issue involving quadratic complexity in the consumeComment function.

This leads to significant resource consumption when processing certain inputs, potentially degrading performance or causing denial-of-service conditions.

Impact Analysis

The vulnerability can lead to excessive CPU usage and memory consumption when processing specially crafted inputs.

This can cause performance degradation or denial-of-service (DoS) conditions in applications using the affected Go net/mail package functions.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage and memory allocations when processing email address or date parsing functions in applications using the Go net/mail package.

Specifically, inputs that trigger the ParseAddress, ParseAddressList, or ParseDate functions with well-crafted data may cause excessive resource consumption.

To detect exploitation attempts or the vulnerability in your system, you can monitor the CPU and memory usage of Go applications handling mail parsing.

While no explicit commands are provided in the resources, general commands to monitor resource usage include:

  • Using top or htop to observe CPU and memory usage of Go processes.
  • Using pprof or Go's built-in profiling tools to analyze CPU and memory usage during mail parsing operations.
  • Logging and analyzing inputs to ParseAddress, ParseAddressList, and ParseDate functions to identify suspicious or malformed inputs causing resource spikes.
Mitigation Strategies

The immediate mitigation step is to upgrade the Go version used in your environment.

The vulnerability affects Go versions before 1.25.10 and from 1.26.0-0 up to but not including 1.26.3.

Upgrading to Go 1.25.10, 1.26.3, or later versions where the issue is fixed will resolve the vulnerability.

Additionally, consider reviewing and sanitizing inputs to the ParseAddress, ParseAddressList, and ParseDate functions to reduce the risk of processing maliciously crafted inputs.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39820. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart