Skip to main content

Go net/mail EUVDEUVD-2026-28423

| CVE-2026-39820 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-07 Go GHSA-p9h5-jm8x-mjm5
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 08, 2026 - 15:22 vuln.today
CVSS changed
May 08, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
May 07, 2026 - 21:02 EUVD
CVE Published
May 07, 2026 - 19:41 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 19:41 nvd
HIGH 7.5

DescriptionNVD

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

AnalysisAI

Denial of service in Go standard library net/mail package allows remote unauthenticated attackers to exhaust CPU and memory resources via maliciously crafted email addresses or dates. The vulnerability affects ParseAddress, ParseAddressList, and ParseDate functions in Go versions prior to 1.25.10 and 1.26.0-1.26.2. Confirmed actively exploited (CISA KEV status not indicated; exploitation probability 0.02% per EPSS). Vendor-released patches available in Go 1.25.10 and 1.26.3.

Technical ContextAI

The Go standard library's net/mail package provides RFC 5322-compliant parsing of email messages, addresses, and date formats. This vulnerability resides in three parsing functions (ParseAddress, ParseAddressList, ParseDate) that process external email data. When these functions encounter specially crafted inputs, they trigger algorithmic complexity issues leading to excessive CPU consumption and uncontrolled memory allocation. The affected CPE (cpe:2.3:a:go_standard_library:net/mail) indicates this is a core standard library component used by any Go application that parses email messages or headers. The vulnerability class appears to involve resource exhaustion through crafted input, though no CWE mapping was provided. This affects applications using these functions to parse untrusted email data from network sources, SMTP servers, IMAP/POP3 clients, email parsing APIs, or any system ingesting email addresses or date headers.

RemediationAI

Upgrade to Go 1.26.3 or Go 1.25.10 which contain fixes for the resource exhaustion issue in net/mail parsing functions. Recompile all affected applications with the patched Go version to incorporate the standard library fix. For applications that cannot immediately upgrade, implement rate limiting on email parsing operations to restrict the number of ParseAddress, ParseAddressList, and ParseDate calls per client or time window (trade-off: legitimate high-volume email processing may be impacted). Deploy resource constraints using cgroups or container limits to cap CPU and memory consumption for processes handling email parsing (trade-off: may cause parsing failures under legitimate load spikes). Consider input validation to reject email addresses or date strings exceeding reasonable length thresholds before passing to parsing functions (trade-off: may block legitimate but unusual RFC 5322-compliant formats). Vendor advisory: https://groups.google.com/g/golang-announce/c/qcCIEXso47M. Patch implementation details: https://go.dev/cl/759940.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-28423 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy