Skip to main content

golang.org/x/sys CVE-2026-39824

| EUVDEUVD-2026-31498 LOW
Integer Overflow or Wraparound (CWE-190)
2026-05-22 Go GHSA-4vpj-hr3r-4gpg
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 27, 2026 - 22:15 vuln.today
CVSS changed
May 27, 2026 - 19:37 NVD
3.3 (LOW)
CVE Published
May 22, 2026 - 19:39 nvd
UNKNOWN (no severity yet)
CVE Published
May 22, 2026 - 19:39 nvd
LOW 3.3

DescriptionCVE.org

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

AnalysisAI

Integer overflow in NewNTUnicodeString within the Go extended syscall package for Windows allows a local low-privileged attacker to silently inject a truncated NTUnicodeString into applications that expect validation failures on oversized input. Affected is golang.org/x/sys/windows before version 0.44.0. Because the function returns a truncated result rather than an error, consuming code may proceed with a malformed string, potentially bypassing length-based security checks or causing downstream logic errors - no public exploit has been identified at time of analysis and EPSS exploitation probability is 0.02%.

Technical ContextAI

golang.org/x/sys is the Go team's extended package for low-level OS syscall access; the windows sub-package provides wrappers for Windows-native data structures. NTUnicodeString is a Windows kernel structure (UNICODE_STRING) whose Length and MaximumLength fields are 16-bit unsigned integers, capping the representable byte count at 65,535. The function NewNTUnicodeString is responsible for constructing this structure from a Go string; CWE-190 (Integer Overflow or Wraparound) describes exactly this class of defect: when the input string's byte length exceeds 65,535, the 16-bit length field wraps around silently, yielding a structurally valid but content-truncated NTUnicodeString. The affected CPE is cpe:2.3:a:golang.org/x/sys:golang.org/x/sys/windows:*:*:*:*:*:*:*:* for all versions prior to 0.44.0.

RemediationAI

Vendor-released patch: golang.org/x/sys/windows v0.44.0. Upgrade by running 'go get golang.org/x/sys@v0.44.0' and rebuilding affected binaries; verify the fix is incorporated by checking go.sum and the module graph. The upstream code change is available at https://go.dev/cl/770080, and the announcement was distributed via the golang-announce mailing list at https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg. If an immediate upgrade is not possible, a compensating control is to add explicit length validation on any string passed to NewNTUnicodeString - reject or truncate inputs exceeding 32,767 UTF-16 code units (65,534 bytes) before the call. This workaround introduces application-layer complexity and must be applied at every call site, which is error-prone; upgrading to v0.44.0 is strongly preferred.

Share

CVE-2026-39824 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy