CVE-2026-39824 - Vulnerability Details

Description

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

Published: 2026-05-22

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the golang.org/x/sys/windows package, where the NewNTUnicodeString function does not enforce the maximum length limit of a NTUnicodeString. When a string larger than the 16‑bit length field is supplied, the function silently truncates the string instead of reporting an error.

Affected Systems

The only vendor and product explicitly listed is golang.org/x/sys/windows. No specific versions are given, so any release that uses the current implementation of NewNTUnicodeString before a fix may be impacted.

Risk and Exploitability

EPSS information is not available and the issue is not listed in CISA KEV, indicating limited publicly known exploitation. The problem is an integer overflow that leads to truncation, but no exploitation details are disclosed. The risk depends on how the function is used in applications; it may cause unexpected behavior if the full string is required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

golang.org/x/sys

golang.org/x/sys/windows

unaffected

Version	Status	Constraints
`0`	affected	< 0.44.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a Golang release that includes the NewNTUnicodeString integer overflow fix.
If an upgrade is impractical, validate the length of the string before calling NewNTUnicodeString to ensure it does not exceed the maximum NTUnicodeString size.
Review and audit code paths that use NewNTUnicodeString to confirm that truncated values will not introduce logic errors, and adjust logic if necessary.

Generated by OpenCVE AI on May 22, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://go.dev/cl/770080
https://go.dev/issue/78916
https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg
https://pkg.go.dev/vuln/GO-2026-5024

History

Fri, 22 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-680

Fri, 22 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.
Title		Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
References		https://go.dev/cl/770080 https://go.dev/issue/78916 https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg https://pkg.go.dev/vuln/GO-2026-5024

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2026-05-22T19:39:47.629Z

Updated: 2026-05-22T19:39:47.629Z

Reserved: 2026-04-07T18:13:03.527Z

Link: CVE-2026-39824

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T22:00:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object