Executive Summary

CVE-2026-42499 is a vulnerability in the Go programming language's net/mail package, specifically in the consumePhrase function used for parsing email addresses according to RFC 5322.

The issue arises from a quadratic string concatenation problem that can be triggered by pathological inputs, causing excessive processing.

This excessive processing can lead to a denial-of-service (DoS) condition, where the system becomes unresponsive or slow when handling certain crafted email addresses.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing a denial-of-service (DoS) condition in applications or services that use the Go net/mail package to parse email addresses.

If an attacker sends specially crafted email addresses designed to exploit this issue, it can cause the application to consume excessive CPU or memory resources, potentially leading to service slowdowns or crashes.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Go standard library's net/mail package, specifically in the consumePhrase function when parsing email addresses. Detection would involve identifying if your system or applications use vulnerable versions of Go (before 1.25.10 and from 1.26.0-0 up to but not including 1.26.3) and if they parse email addresses using the affected functions.

There are no specific commands provided in the available resources to detect exploitation attempts or the vulnerability directly on your network or system.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Go programming language to a fixed version later than 1.25.10 or 1.26.3, where the issue in the net/mail package's consumePhrase function has been addressed.

Avoid processing untrusted or pathological email address inputs with the affected parsing functions until the fix is applied.

Useful 0 Not Useful 0