Skip to main content

Go net library EUVDEUVD-2026-28419

| CVE-2026-33811 HIGH
Double Free (CWE-415)
2026-05-07 Go GHSA-497x-jcxf-m478
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 08, 2026 - 15:22 vuln.today
CVSS changed
May 08, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
May 07, 2026 - 21:02 EUVD
CVE Published
May 07, 2026 - 19:41 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 19:41 nvd
HIGH 7.5

DescriptionNVD

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

AnalysisAI

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing maliciously crafted CNAME DNS responses. Remote attackers can trigger double-free of C memory in the cgo DNS resolver's LookupCNAME function by sending excessively long CNAME records, causing immediate denial of service. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity despite network-accessible attack vector and no authentication requirement. Vendor patch available via Go 1.25.10 and 1.26.3.

Technical ContextAI

This vulnerability affects Go's net standard library, specifically the cgo-based DNS resolver implementation. The cgo resolver uses C bindings to interact with system DNS facilities. When processing CNAME (Canonical Name) records via the LookupCNAME function, inadequate bounds checking on response length triggers a double-free condition-a memory management error where the same C memory allocation is freed twice. Double-free vulnerabilities corrupt heap metadata and typically result in immediate process termination. The affected component (CPE: cpe:2.3:a:go_standard_library:net) is a core networking library used by virtually all Go applications that perform DNS lookups, making this a supply-chain concern. The vulnerability specifically affects applications compiled with cgo enabled (the default on most platforms) that rely on system DNS resolution rather than Go's pure-Go resolver.

RemediationAI

Upgrade Go to version 1.25.10 or later (for 1.25.x users) or version 1.26.3 or later (for 1.26.x users) as documented in the official golang-announce mailing list (https://groups.google.com/g/golang-announce/c/qcCIEXso47M). Recompile all affected applications with the patched Go toolchain, as the fix is implemented in the standard library and requires rebuilding binaries. No configuration changes are required post-upgrade. For environments unable to immediately patch, implement DNS response filtering at network boundary to reject CNAME records exceeding RFC 1035 length limits (255 octets per label, 1024 octets total), though this adds operational complexity and potential for legitimate response rejection. Alternatively, force use of Go's pure-Go DNS resolver by setting GODEBUG=netdns=go environment variable, which bypasses the vulnerable cgo path entirely but may exhibit different DNS behavior on some systems (e.g., not respecting /etc/hosts). Advisory URL with vulnerability database entry: https://pkg.go.dev/vuln/GO-2026-4981.

More in Net

View all
CVE-2018-17848 HIGH POC
7.5 Oct 01

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "

CVE-2018-17847 HIGH POC
7.5 Oct 01

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading

CVE-2018-17143 HIGH POC
7.5 Sep 17

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a

CVE-2018-17142 HIGH POC
7.5 Sep 17

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "pani

CVE-2018-17075 HIGH POC
7.5 Sep 16

The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic:

CVE-2026-45491 MEDIUM POC
5.5 Jun 09

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe

CVE-2024-43498 CRITICAL
9.8 Nov 12

.NET and Visual Studio Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-36049 CRITICAL
9.8 Nov 14

.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this v

CVE-2024-57854 CRITICAL
9.1 Mar 05

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

CVE-2026-11373 CRITICAL
9.1 Jun 22

Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name

CVE-2026-45591 HIGH
7.5 Jun 09

Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru

CVE-2026-45490 HIGH
7.8 Jun 09

Local privilege escalation in Microsoft .NET allows an authenticated low-privileged user to elevate to higher privileges

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-28419 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy