Description
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
Published: 2026-05-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a double‑free in the Go standard library’s net package that occurs when LookupCNAME uses the cgo DNS resolver to process an unusually long CNAME response. This memory corruption leads to an application crash, causing a denial of service.

Affected Systems

Affected systems include any Go environment that uses the net package with the cgo DNS resolver. All current Go releases that have not applied the fix are vulnerable; specific affected versions are not listed in the advisory.

Risk and Exploitability

The exploit does not provide remote code execution but can be leveraged by an attacker who controls a DNS server to supply a long CNAME chain that crashes the process. The CVSS score of 7.5 indicates a high severity, and the EPSS score indicates a very low exploitation probability (<1%). The vulnerability is not listed in CISA KEV, indicating it has not been broadly exploited yet. Nevertheless, the crash can degrade availability, so applying the vendor patch remains the primary risk mitigation.

Generated by OpenCVE AI on May 12, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Go release that includes the fix for the double‑free in LookupCNAME.
  • If an upgrade cannot be performed immediately, restrict DNS traffic from untrusted sources or block DNS responses that could contain long CNAME chains.
  • Disable the cgo DNS resolver by setting CGO_ENABLED=0 or configuring the Go runtime to use the system resolver if that is acceptable for your application.

Generated by OpenCVE AI on May 12, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
Weaknesses CWE-415
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library net
Vendors & Products Go Standard Library
Go Standard Library net

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
Title Crash when handling long CNAME response in net
References

Subscriptions

Go Standard Library Net
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-08T14:25:43.896Z

Reserved: 2026-03-23T20:35:32.814Z

Link: CVE-2026-33811

cve-icon Vulnrichment

Updated: 2026-05-08T14:25:36.174Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T20:16:42.770

Modified: 2026-05-12T20:23:02.333

Link: CVE-2026-33811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:30:05Z

Weaknesses