CVE-2026-39820 PUBLISHED

Quadratic string concatentation in consumeComment in net/mail

Assigner: Go
Reserved: 07.04.2026 Published: 07.05.2026 Updated: 07.05.2026

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Product Status

Vendor Go standard library
Product net/mail
Versions Default: unaffected
  • affected from 0 to 1.25.10 (excl.)
  • affected from 1.26.0-0 to 1.26.3 (excl.)

Credits

  • thatnealpatel

References

Problem Types

  • CWE-407: Inefficient Algorithmic Complexity