CVE-2026-39820
Excessive CPU and Memory Allocation in Go's Parse Functions
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 1.26.0 (exc) |
| golang | go | From 1.26.0 (inc) to 1.26.3 (exc) |
| golang | go | 1.27 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Go standard library's net/mail package, specifically in functions like ParseAddress, ParseAddressList, and ParseDate.
Well-crafted inputs can cause these functions to trigger excessive CPU exhaustion and memory allocations due to a performance issue involving quadratic complexity in the consumeComment function.
This leads to significant resource consumption when processing certain inputs, potentially degrading performance or causing denial-of-service conditions.
How can this vulnerability impact me? :
The vulnerability can lead to excessive CPU usage and memory consumption when processing specially crafted inputs.
This can cause performance degradation or denial-of-service (DoS) conditions in applications using the affected Go net/mail package functions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high CPU usage and memory allocations when processing email address or date parsing functions in applications using the Go net/mail package.
Specifically, inputs that trigger the ParseAddress, ParseAddressList, or ParseDate functions with well-crafted data may cause excessive resource consumption.
To detect exploitation attempts or the vulnerability in your system, you can monitor the CPU and memory usage of Go applications handling mail parsing.
While no explicit commands are provided in the resources, general commands to monitor resource usage include:
- Using top or htop to observe CPU and memory usage of Go processes.
- Using pprof or Go's built-in profiling tools to analyze CPU and memory usage during mail parsing operations.
- Logging and analyzing inputs to ParseAddress, ParseAddressList, and ParseDate functions to identify suspicious or malformed inputs causing resource spikes.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Go version used in your environment.
The vulnerability affects Go versions before 1.25.10 and from 1.26.0-0 up to but not including 1.26.3.
Upgrading to Go 1.25.10, 1.26.3, or later versions where the issue is fixed will resolve the vulnerability.
Additionally, consider reviewing and sanitizing inputs to the ParseAddress, ParseAddressList, and ParseDate functions to reduce the risk of processing maliciously crafted inputs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.