Description
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
Published: 2026-05-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Go standard library's net/mail package allows an attacker to craft specially formed email addresses that trigger a quadratic time complexity path in the consumePhrase function. When such inputs are parsed, the function performs repeated string concatenations that can consume excessive CPU resources, potentially exhausting system capacity and causing a denial of service. The flaw does not provide privilege escalation or code execution and is limited to disrupting service availability.

Affected Systems

The Go standard library's net/mail package is the affected component. No specific Go versions are listed in the data, so all releases containing net/mail could be vulnerable until a patch is released.

Risk and Exploitability

The exploitability of this flaw requires the target to process an email address that includes the pathological input. Based on the description, it is inferred that the email address can be supplied remotely through network traffic, allowing an attacker to trigger the DoS from outside the host. The EPSS score is < 1%, and the flaw is not listed in CISA's KEV catalog. The CVSS score of 7.5 indicates a high severity, reinforcing the risk of significant resource exhaustion. The threat is significant in environments that handle a large volume of emails or allow unauthenticated input.

Generated by OpenCVE AI on May 13, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Go release that contains the net/mail patch; vendors typically fix such issues in subsequent releases.
  • Validate or enforce a strict length or pattern check on email addresses before they are passed to consumePhrase to prevent quadratic growth from occurring.
  • If upgrading is delayed, run the mail parsing code in a sandboxed or throttled environment that limits CPU usage and implements request timeouts to contain the DoS impact.

Generated by OpenCVE AI on May 13, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-229
CWE-730

Wed, 13 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674
CWE-729

Wed, 13 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674
CWE-729

Thu, 07 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library net\/mail
Vendors & Products Go Standard Library
Go Standard Library net\/mail

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
Title Quadratic string concatenation in consumePhrase in net/mail
References

Subscriptions

Go Standard Library Net\/mail
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-08T21:29:59.662Z

Reserved: 2026-04-28T00:21:12.791Z

Link: CVE-2026-42499

cve-icon Vulnrichment

Updated: 2026-05-08T16:55:43.428Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T20:16:44.540

Modified: 2026-05-13T16:59:17.563

Link: CVE-2026-42499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:45:04Z

Weaknesses