CVE-2026-42504
Awaiting Analysis Awaiting Analysis - Queue

MIME Header Parsing Denial of Service in Go

Vulnerability report for CVE-2026-42504, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-02

Last updated on: 2026-06-03

Assigner: Go Project

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-02
Last Modified
2026-06-03
Generated
2026-07-14
AI Q&A
2026-06-03
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
golang go to 1.25.11 (exc)
golang go From 1.26.0 (inc) to 1.26.4 (exc)
golang go 1.27

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves decoding a maliciously-crafted MIME header that contains many invalid encoded-words. When such a header is processed, it can cause excessive CPU consumption.

Impact Analysis

The impact of this vulnerability is that processing specially crafted MIME headers can lead to excessive CPU usage. This could degrade system performance or potentially lead to denial of service conditions if the CPU resources are exhausted.

Compliance Impact

The vulnerability CVE-2026-42504 causes excessive CPU consumption due to a denial-of-service attack vector in the Go mime package when decoding maliciously crafted MIME headers.

There is no information provided in the available resources about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves excessive CPU consumption when decoding maliciously crafted MIME headers with many invalid encoded-words using the Go mime package's WordDecoder.DecodeHeader function.

To detect this vulnerability on your system, you can monitor CPU usage patterns for processes using the Go mime package, especially those handling MIME headers.

There are no specific commands provided in the resources to detect the vulnerability directly, but general monitoring commands include:

  • Use system monitoring tools like 'top' or 'htop' to identify processes with unusually high CPU usage.
  • Use network monitoring tools like 'tcpdump' or 'wireshark' to capture and analyze MIME headers in network traffic for suspiciously crafted encoded-words.
  • If you have access to application logs, look for unusually slow processing or timeouts related to MIME header decoding.
Mitigation Strategies

The primary mitigation step is to update the Go standard library mime package to a patched version where this vulnerability is fixed.

Specifically, upgrade to Go versions at least go1.25.11 or go1.26.4 or later, where the WordDecoder.DecodeHeader function has been improved to handle malicious inputs efficiently.

Until the update is applied, consider limiting or filtering incoming MIME headers that contain suspiciously many encoded-words to reduce the risk of CPU exhaustion.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42504. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart