CVE-2026-42499 PUBLISHED

Quadratic string concatenation in consumePhrase in net/mail

Assigner: Go
Reserved: 28.04.2026 Published: 07.05.2026 Updated: 07.05.2026

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Product Status

Vendor Go standard library
Product net/mail
Versions Default: unaffected
  • affected from 0 to 1.25.10 (excl.)
  • affected from 1.26.0-0 to 1.26.3 (excl.)

References

Problem Types

  • CWE-407: Inefficient Algorithmic Complexity