Description
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
Published: 2026-05-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a double‑free in the Go standard library’s net package that occurs when LookupCNAME uses the cgo DNS resolver to process an unusually long CNAME response. This memory corruption leads to an application crash, causing a denial of service. The weakness corresponds to CWE‑415.

Affected Systems

Affected systems include any Go environment that uses the net package with the cgo DNS resolver. All current Go releases that have not applied the fix are vulnerable; specific affected versions are not listed in the advisory.

Risk and Exploitability

The exploit does not provide remote code execution but can be leveraged by an attacker who controls a DNS server to supply a long CNAME chain that crashes the process. No EPSS score is available and the vulnerability is not listed in CISA KEV, indicating it has not been broadly exploited yet. Nevertheless, the crash can degrade availability, so applying the vendor patch remains the primary risk mitigation.

Generated by OpenCVE AI on May 7, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Go release that includes the fix for the double‑free in LookupCNAME.
  • If an upgrade cannot be performed immediately, restrict DNS traffic from untrusted sources or block DNS responses that could contain long CNAME chains.
  • Disable the cgo DNS resolver by setting CGO_ENABLED=0 or configuring the Go runtime to use the system resolver if that is acceptable for your application.
  • Monitor application logs for unexpected crashes and confirm the vulnerability is resolved after the upgrade.

Generated by OpenCVE AI on May 7, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
Title Crash when handling long CNAME response in net
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-07T19:41:19.285Z

Reserved: 2026-03-23T20:35:32.814Z

Link: CVE-2026-33811

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:42.770

Modified: 2026-05-07T20:38:04.860

Link: CVE-2026-33811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:30:25Z

Weaknesses