Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.
AnalysisAI
Integer overflow in NewNTUnicodeString within the Go extended syscall package for Windows allows a local low-privileged attacker to silently inject a truncated NTUnicodeString into applications that expect validation failures on oversized input. Affected is golang.org/x/sys/windows before version 0.44.0. Because the function returns a truncated result rather than an error, consuming code may proceed with a malformed string, potentially bypassing length-based security checks or causing downstream logic errors - no public exploit has been identified at time of analysis and EPSS exploitation probability is 0.02%.
Technical ContextAI
golang.org/x/sys is the Go team's extended package for low-level OS syscall access; the windows sub-package provides wrappers for Windows-native data structures. NTUnicodeString is a Windows kernel structure (UNICODE_STRING) whose Length and MaximumLength fields are 16-bit unsigned integers, capping the representable byte count at 65,535. The function NewNTUnicodeString is responsible for constructing this structure from a Go string; CWE-190 (Integer Overflow or Wraparound) describes exactly this class of defect: when the input string's byte length exceeds 65,535, the 16-bit length field wraps around silently, yielding a structurally valid but content-truncated NTUnicodeString. The affected CPE is cpe:2.3:a:golang.org/x/sys:golang.org/x/sys/windows:*:*:*:*:*:*:*:* for all versions prior to 0.44.0.
RemediationAI
Vendor-released patch: golang.org/x/sys/windows v0.44.0. Upgrade by running 'go get golang.org/x/sys@v0.44.0' and rebuilding affected binaries; verify the fix is incorporated by checking go.sum and the module graph. The upstream code change is available at https://go.dev/cl/770080, and the announcement was distributed via the golang-announce mailing list at https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg. If an immediate upgrade is not possible, a compensating control is to add explicit length validation on any string passed to NewNTUnicodeString - reject or truncate inputs exceeding 32,767 UTF-16 code units (65,534 bytes) before the call. This workaround introduces application-layer complexity and must be applied at every call site, which is error-prone; upgrading to v0.44.0 is strongly preferred.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31498
GHSA-4vpj-hr3r-4gpg