Skip to main content

Go net/textproto EUVDEUVD-2026-34040

| CVE-2026-42507 MEDIUM
2026-06-02 Go GHSA-h3gm-q7m7-mp28
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 20:23 vuln.today
CVSS changed
Jun 03, 2026 - 20:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 02, 2026 - 22:01 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

AnalysisAI

Error message injection in Go's net/textproto standard library package allows unauthenticated remote attackers to embed attacker-controlled content into error strings that applications subsequently print or log. Affected Go releases span all net/textproto versions prior to 1.25.11 and 1.26.4, covering a broad surface area of Go-based HTTP, MIME, and mail-handling applications. No public exploit code exists and exploitation probability is extremely low (EPSS 0.02%, 5th percentile), but the integrity risk is real in deployments where net/textproto errors are surfaced to logs, monitoring systems, or user-facing output without sanitization.

Technical ContextAI

The net/textproto package (cpe:2.3:a:go_standard_library:net/textproto:*:*:*:*:*:*:*:*) is a foundational Go standard library component used to parse MIME-style headers, HTTP headers, NNTP responses, and similar text-based protocols. When internal functions in this package encounter parsing or protocol errors, they construct error values that embed the raw input string directly. Because no CWE has been formally assigned, the root cause class spans both CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, i.e., injection) and CWE-116 (Improper Encoding or Escaping of Output). The practical effect is a log injection / error message injection primitive: an adversary who controls protocol input (e.g., a crafted HTTP header value) can include newline characters, control sequences, or fabricated log lines that appear verbatim in error output. The flaw is tracked upstream as Go issue #79346 and remediated in change list CL-777060.

RemediationAI

The primary fix is upgrading the Go toolchain to version 1.25.11 or later for the 1.25.x branch, or to version 1.26.4 or later for the 1.26.x branch; vendor-released patches are confirmed available per the Go team announcement (https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw) and the Go vulnerability database entry GO-2026-5039 (https://pkg.go.dev/vuln/GO-2026-5039). After upgrading the Go toolchain, applications must be recompiled against the patched standard library since Go compiles the standard library statically into binaries. For teams unable to upgrade immediately, the most actionable compensating control is to sanitize or structured-format all error strings derived from net/textproto before passing them to loggers: replace or strip newline characters (\n, \r) and ANSI escape sequences from error messages prior to logging. A second mitigation is configuring log aggregation systems (e.g., Fluent Bit, Logstash) to enforce strict JSON-only ingestion, preventing injected plaintext lines from being parsed as legitimate log events. Both workarounds carry the trade-off of adding application-layer error-handling complexity and may mask legitimate multi-line error detail.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected

Share

EUVD-2026-34040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy