Description
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
Published: 2026-05-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported vulnerability stems from a quadratic string concatenation routine within the consumeComment function of Go’s net/mail package. When the library parses addresses or dates, malformed input can cause the concatenation to grow disproportionately, consuming excessive CPU cycles and allocating large amounts of memory. Attackers can craft such input to trigger an intentional denial of service.

Affected Systems

Affected systems are applications and services that use the Go standard library’s net/mail functions ParseAddress, ParseAddressList, and ParseDate. Any Go runtime prior to the fix in GO-2026-4986 is susceptible. The specific release versions are not delineated in the CVE record, but the references indicate that the issue was addressed in a later Go release following the issue report.

Risk and Exploitability

While no EPSS score is available and the vulnerability is not currently listed in the CISA KEV catalog, the nature of the flaw—excessive resource consumption during parsing—implies a high severity. An attacker delivering a crafted email or HTTP payload to a vulnerable service could exhaust CPU or memory, potentially causing service downtime or crashing the application. The risk is amplified in environments that process untrusted inputs without additional validation or rate limiting.

Generated by OpenCVE AI on May 7, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Go release that includes the patch referenced in GO-2026-4986.
  • Apply stricter input validation or sanitation for email addresses and date strings before invoking net/mail parsing functions, rejecting inputs that exceed reasonable length or complexity.
  • Implement rate limiting and resource quotas on any services that process external email data to reduce the impact of a DoS attempt.
  • Monitor system CPU and memory metrics for anomalous spikes and configure automatic alerts or failover procedures to mitigate downtime.

Generated by OpenCVE AI on May 7, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library net/mail
Weaknesses CWE-739
Vendors & Products Go Standard Library
Go Standard Library net/mail

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
Title Quadratic string concatentation in consumeComment in net/mail
References

Subscriptions

Go Standard Library Net/mail
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-07T19:41:19.854Z

Reserved: 2026-04-07T18:13:03.526Z

Link: CVE-2026-39820

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:43.187

Modified: 2026-05-07T20:38:04.860

Link: CVE-2026-39820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:30:25Z

Weaknesses