CVE-2026-42499
Pathological Inputs Cause DoS in Go Email Parser
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | From 1.26.0 (inc) to 1.26.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42499 is a vulnerability in the Go programming language's net/mail package, specifically in the consumePhrase function used for parsing email addresses according to RFC 5322.
The issue arises from a quadratic string concatenation problem that can be triggered by pathological inputs, causing excessive processing.
This excessive processing can lead to a denial-of-service (DoS) condition, where the system becomes unresponsive or slow when handling certain crafted email addresses.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial-of-service (DoS) condition in applications or services that use the Go net/mail package to parse email addresses.
If an attacker sends specially crafted email addresses designed to exploit this issue, it can cause the application to consume excessive CPU or memory resources, potentially leading to service slowdowns or crashes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Go standard library's net/mail package, specifically in the consumePhrase function when parsing email addresses. Detection would involve identifying if your system or applications use vulnerable versions of Go (before 1.25.10 and from 1.26.0-0 up to but not including 1.26.3) and if they parse email addresses using the affected functions.
There are no specific commands provided in the available resources to detect exploitation attempts or the vulnerability directly on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Go programming language to a fixed version later than 1.25.10 or 1.26.3, where the issue in the net/mail package's consumePhrase function has been addressed.
Avoid processing untrusted or pathological email address inputs with the affected parsing functions until the fix is applied.