CVE-2026-33811 PUBLISHED

Crash when handling long CNAME response in net

Assigner: Go
Reserved: 23.03.2026 Published: 07.05.2026 Updated: 07.05.2026

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

Product Status

Vendor Go standard library
Product net
Versions Default: unaffected
  • affected from 0 to 1.25.10 (excl.)
  • affected from 1.26.0-0 to 1.26.3 (excl.)

Credits

  • hamayanhamayan

References

Problem Types

  • CWE-415: Double Free