CVE-2026-39836
Panic on Windows with NUL Input in Go
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | From 1.26.0 (inc) to 1.26.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-39836 affects the Go standard library's net package on Windows systems. Specifically, the Dial and LookupPort functions panic when they receive an input containing a NUL (0) byte. Instead of handling such input gracefully, these functions crash, causing a panic.
How can this vulnerability impact me? :
This vulnerability can cause applications using the affected Go functions on Windows to unexpectedly crash or panic when processing inputs containing a NUL byte. This can lead to denial of service or instability in applications relying on these functions for network operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes the Dial and LookupPort functions in the Go standard library on Windows to panic when given inputs containing a NUL (0) byte.
To detect this vulnerability on your system, you can test if your Go environment is affected by attempting to call these functions with inputs containing a NUL byte and observing if a panic occurs.
For example, you can write a small Go program that calls net.Dial or net.LookupPort with an address or port string containing a NUL character and see if it panics.
- Write a Go test program that calls net.Dial("tcp", "localhost\x00:80") and check if it panics.
- Similarly, test net.LookupPort("tcp", "http\x00") for panic behavior.
If these calls cause a panic, your system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your Go environment to a fixed version.
The vulnerability affects Go versions before 1.25.10 and from 1.26.0-0 up to but not including 1.26.3.
- Upgrade to Go version 1.25.10 or later if you are on the 1.25.x series.
- Alternatively, upgrade to Go version 1.26.3 or later if you are on the 1.26.x series.
These versions include the fix that prevents the Dial and LookupPort functions from panicking on inputs containing NUL bytes by returning an error instead.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
There is no information provided in the available context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.