Description
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
Published: 2026-05-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Go standard library's net/mail package allows an attacker to craft specially formed email addresses that trigger a quadratic time complexity path in the consumePhrase function. When such inputs are parsed, the function performs repeated string concatenations that can consume excessive CPU resources, potentially exhausting system capacity and causing a denial of service. The flaw does not provide privilege escalation or code execution and is limited to disrupting service availability.

Affected Systems

The Go standard library's net/mail package is the affected component. No specific Go versions are listed in the data, so all releases containing net/mail could be vulnerable until a patch is released.

Risk and Exploitability

The exploitability of this flaw requires the target to process an email address that includes the pathological input. Because the email address can be supplied remotely through network traffic, an attacker can trigger the DoS from outside the host. The EPSS score is not available, and the flaw is not listed in CISA's KEV catalog. The CVE data does not provide a severity rating, so the risk assessment is limited to the potential for resource exhaustion. The threat is significant in environments that handle a large volume of emails or allow unauthenticated input.

Generated by OpenCVE AI on May 7, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Go release that contains the net/mail patch; vendors typically fix such issues in subsequent releases.
  • Validate or enforce a strict length or pattern check on email addresses before they are passed to consumePhrase to prevent quadratic growth from occurring.
  • If upgrading is delayed, run the mail parsing code in a sandboxed or throttled environment that limits CPU usage and implements request timeouts to contain the DoS impact.

Generated by OpenCVE AI on May 7, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674
CWE-729

Thu, 07 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library net\/mail
Vendors & Products Go Standard Library
Go Standard Library net\/mail

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
Title Quadratic string concatenation in consumePhrase in net/mail
References

Subscriptions

Go Standard Library Net\/mail
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-07T19:41:18.615Z

Reserved: 2026-04-28T00:21:12.791Z

Link: CVE-2026-42499

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:44.540

Modified: 2026-05-07T20:33:39.270

Link: CVE-2026-42499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:30:36Z

Weaknesses