The Go standard library’s net package contains a defect that causes the Dial and LookupPort functions to panic when a Windows platform receives an input string that contains a NUL (0) byte. The panic terminates the process, leading to a loss of service for the application that called the function. This issue is a classic instance of improper input validation that results in program termination, producing a denial of service condition for any process that relies on those network APIs.

The vulnerability affects the Go standard library package net, which is bundled with all Go releases that include this defect. It is specific to Windows operating system environments. No explicit version range is given in the advisory, so the defect may be present in any Go version that has not yet incorporated the fix referenced in the Go issue tracker.

The CVSS score of 7.5 indicates a high severity, while the EPSS score of <1% shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, but the defect is deterministic and will crash any code that passes an unvalidated string containing a NUL byte to Dial or LookupPort on Windows. The attack vector is likely local or remote, depending on whether the offending input originates from an external request processed by a Go application. An attacker could trigger the crash by supplying a crafted address string or port name to a service that uses these functions, causing the service to terminate and disrupting availability for legitimate users.