CVE-2026-42499
Modified Modified - Updated After Analysis

Pathological Inputs Cause DoS in Go Email Parser

Vulnerability report for CVE-2026-42499, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-07

Last updated on: 2026-07-08

Assigner: Go Project

Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-07
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-05-07
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
golang go From 1.26.0 (inc) to 1.26.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1046 The product creates an immutable text string using string concatenation operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-42499 is a vulnerability in the Go programming language's net/mail package, specifically in the consumePhrase function used for parsing email addresses according to RFC 5322.

The issue arises from a quadratic string concatenation problem that can be triggered by pathological inputs, causing excessive processing.

This excessive processing can lead to a denial-of-service (DoS) condition, where the system becomes unresponsive or slow when handling certain crafted email addresses.

Impact Analysis

This vulnerability can impact you by causing a denial-of-service (DoS) condition in applications or services that use the Go net/mail package to parse email addresses.

If an attacker sends specially crafted email addresses designed to exploit this issue, it can cause the application to consume excessive CPU or memory resources, potentially leading to service slowdowns or crashes.

Detection Guidance

This vulnerability involves the Go standard library's net/mail package, specifically in the consumePhrase function when parsing email addresses. Detection would involve identifying if your system or applications use vulnerable versions of Go (before 1.25.10 and from 1.26.0-0 up to but not including 1.26.3) and if they parse email addresses using the affected functions.

There are no specific commands provided in the available resources to detect exploitation attempts or the vulnerability directly on your network or system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Go programming language to a fixed version later than 1.25.10 or 1.26.3, where the issue in the net/mail package's consumePhrase function has been addressed.

Avoid processing untrusted or pathological email address inputs with the affected parsing functions until the fix is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42499. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart