CVE-2026-39836
Undergoing Analysis Undergoing Analysis - In Progress
Panic on Windows with NUL Input in Go

Publication date: 2026-05-07

Last updated on: 2026-05-08

Assigner: Go Project

Description
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-18
NVD
CVE-2026-39836
EUVD
EUVD-2026-28427
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang go From 1.26.0 (inc) to 1.26.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-39836 affects the Go standard library's net package on Windows systems. Specifically, the Dial and LookupPort functions panic when they receive an input containing a NUL (0) byte. Instead of handling such input gracefully, these functions crash, causing a panic.

Impact Analysis

This vulnerability can cause applications using the affected Go functions on Windows to unexpectedly crash or panic when processing inputs containing a NUL byte. This can lead to denial of service or instability in applications relying on these functions for network operations.

Detection Guidance

This vulnerability causes the Dial and LookupPort functions in the Go standard library on Windows to panic when given inputs containing a NUL (0) byte.

To detect this vulnerability on your system, you can test if your Go environment is affected by attempting to call these functions with inputs containing a NUL byte and observing if a panic occurs.

For example, you can write a small Go program that calls net.Dial or net.LookupPort with an address or port string containing a NUL character and see if it panics.

  • Write a Go test program that calls net.Dial("tcp", "localhost\x00:80") and check if it panics.
  • Similarly, test net.LookupPort("tcp", "http\x00") for panic behavior.

If these calls cause a panic, your system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade your Go environment to a fixed version.

The vulnerability affects Go versions before 1.25.10 and from 1.26.0-0 up to but not including 1.26.3.

  • Upgrade to Go version 1.25.10 or later if you are on the 1.25.x series.
  • Alternatively, upgrade to Go version 1.26.3 or later if you are on the 1.26.x series.

These versions include the fix that prevents the Dial and LookupPort functions from panicking on inputs containing NUL bytes by returning an error instead.

Compliance Impact

There is no information provided in the available context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39836. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart