CVE-2026-39820 - Vulnerability Details

- Quadratic string concatentation in consumeComment in net/mail

Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Published: 2026-05-07

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The reported vulnerability stems from a quadratic string concatenation routine within the consumeComment function of Go’s net/mail package. When the library parses addresses or dates, malformed input can cause the concatenation to grow disproportionately, consuming excessive CPU cycles and allocating large amounts of memory. This flaw corresponds to CWE‑770, Excessive Memory Allocation. Attackers can craft such input to trigger an intentional denial of service.

Affected Systems

Affected systems are applications and services that use the Go standard library’s net/mail functions ParseAddress, ParseAddressList, and ParseDate. Any Go runtime prior to the fix in GO-2026-4986 is susceptible. The specific release versions are not delineated in the CVE record, but the references indicate that the issue was addressed in a later Go release following the issue report.

Risk and Exploitability

The EPSS score is less than 1%, indicating a very low exploitation probability, and the vulnerability is not currently listed in the CISA KEV catalog. The nature of the flaw—excessive resource consumption during parsing—implies a high severity. The CVSS score of 7.5 indicates a high severity level. An attacker delivering a crafted email or HTTP payload to a vulnerable service could exhaust CPU or memory, potentially causing service downtime or crashing the application. The risk is amplified in environments that process untrusted inputs without additional validation or rate limiting.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Go standard library

net/mail

unaffected

Version	Status	Constraints
`0`	affected	< 1.25.10
`1.26.0-0`	affected	< 1.26.3

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

No data.

Vendor Product Confidence Versions

Go Standard Library

Net/mail

100%

Version	Status	Scheme	Platform
`[0,1.25.10)`	affected	semver	—
`[1.26.0-0,1.26.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a Go release that includes the patch referenced in GO-2026-4986.
Apply stricter input validation or sanitation for email addresses and date strings before invoking net/mail parsing functions, rejecting inputs that exceed reasonable length or complexity.
Implement rate limiting and resource quotas on any services that process external email data to reduce the impact of a DoS attempt.
Monitor system CPU and memory metrics for anomalous spikes and configure automatic alerts or failover procedures to mitigate downtime.

Generated by OpenCVE AI on May 13, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00058.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://go.dev/cl/759940
https://go.dev/issue/78566
https://groups.google.com/g/golang-announce/c/qcCIEXso47M
https://pkg.go.dev/vuln/GO-2026-4986

History

Wed, 13 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Golang Golang go
Weaknesses		CWE-770
CPEs		cpe:2.3:a:golang:go::::::::
Vendors & Products		Golang Golang go

Fri, 08 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-739

Fri, 08 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 07 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Go Standard Library Go Standard Library net/mail
Weaknesses		CWE-739
Vendors & Products		Go Standard Library Go Standard Library net/mail

Thu, 07 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
Title		Quadratic string concatentation in consumeComment in net/mail
References		https://go.dev/cl/759940 https://go.dev/issue/78566 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4986

Subscriptions

Go Standard Library Net/mail

Golang Go

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2026-05-07T19:41:19.854Z

Updated: 2026-05-08T14:27:54.923Z

Reserved: 2026-04-07T18:13:03.526Z

Link: CVE-2026-39820

Vulnrichment

Updated: 2026-05-08T14:27:47.966Z

NVD

Status : Analyzed

Published: 2026-05-07T20:16:43.187

Modified: 2026-05-13T15:10:58.650

Link: CVE-2026-39820

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T16:30:36Z

Weaknesses

CWE-770
Allocation of Resources Without Limits or Throttling

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object