Description
NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.
Published: 2026-05-22
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the golang.org/x/sys/windows package, where the NewNTUnicodeString function does not enforce the maximum length limit of a NTUnicodeString. When a string larger than the 16‑bit length field is supplied, the function silently truncates the string instead of reporting an error.

Affected Systems

The only vendor and product explicitly listed is golang.org/x/sys/windows. No specific versions are given, so any release that uses the current implementation of NewNTUnicodeString before a fix may be impacted.

Risk and Exploitability

The EPSS score of <1% indicates a very low probability of exploitation, and the issue is not listed in CISA KEV, suggesting limited publicly known exploits. The problem is an integer overflow that leads to truncation, but no exploitation details are disclosed. The risk depends on how the function is used in applications; it may cause unexpected behavior if the full string is required. The CVSS score of 3.3 indicates low impact.

Generated by OpenCVE AI on May 27, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Golang release that includes the NewNTUnicodeString integer overflow fix.
  • If an upgrade is impractical, validate the length of the string before calling NewNTUnicodeString to ensure it does not exceed the maximum NTUnicodeString size.
  • Review and audit code paths that use NewNTUnicodeString to confirm that truncated values will not introduce logic errors, and adjust logic if necessary.

Generated by OpenCVE AI on May 27, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-680

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang sys
Vendors & Products Golang
Golang sys

Fri, 22 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-680

Fri, 22 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.
Title Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
References

Subscriptions

Golang Sys
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-27T13:31:26.148Z

Reserved: 2026-04-07T18:13:03.527Z

Link: CVE-2026-39824

cve-icon Vulnrichment

Updated: 2026-05-27T13:29:34.717Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-22T20:16:33.057

Modified: 2026-05-27T14:16:46.387

Link: CVE-2026-39824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:45:43Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound