Description
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
Published: 2026-06-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Decoding a maliciously‑crafted MIME header that contains many invalid encoded‑words triggers a quadratic‑time algorithm in the Go standard library mime.WordDecoder.DecodeHeader function. This leads to excessive CPU consumption and can cause a denial of service when the application is under load. The issue is a resource exhaustion flaw (CWE‑442) caused by quadratic‑time complexity (CWE‑407).

Affected Systems

The vulnerability affects the Go standard library mime package. All Go installations that include this package and have not applied the recent upstream fix are vulnerable; the advisory does not list specific Go releases, so any version prior to the patch is potentially impacted.

Risk and Exploitability

The CVSS score is 7.5 and the EPSS score is below 1%. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation. Attackers could trigger the DoS by sending large malformed MIME headers to any service that parses them, such as email servers or HTTP handlers that use the mime package. The flaw requires the attacker to deliver the crafted header to the target and does not provide code execution or other privileges.

Generated by OpenCVE AI on June 3, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Go to a version where the fix is incorporated; consult Go release notes for the corresponding patch.
  • Validate MIME header size and reject headers that exceed a reasonable limit before calling DecodeHeader.
  • If an immediate upgrade is not possible, isolate MIME parsing in a separate process or enforce a CPU‑budget/timeout to prevent a single request from exhausting resources.

Generated by OpenCVE AI on June 3, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-407
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang mime
Vendors & Products Golang
Golang mime

Wed, 03 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-442

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
Title Quadratic complexity in WordDecoder.DecodeHeader in mime
References

Subscriptions

Golang Mime
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-06-03T14:06:13.623Z

Reserved: 2026-04-28T00:21:12.792Z

Link: CVE-2026-42504

cve-icon Vulnrichment

Updated: 2026-06-03T14:05:35.965Z

cve-icon NVD

Status : Received

Published: 2026-06-02T23:16:37.927

Modified: 2026-06-03T16:16:30.157

Link: CVE-2026-42504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T15:30:26Z

Weaknesses