CVE-2026-42504 PUBLISHED

Quadratic complexity in WordDecoder.DecodeHeader in mime

Assigner: Go
Reserved: 28.04.2026 Published: 02.06.2026 Updated: 03.06.2026

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Product Status

Vendor Go standard library
Product mime
Versions Default: unaffected
  • affected from 0 to 1.25.11 (excl.)
  • affected from 1.26.0-0 to 1.26.4 (excl.)

Credits

  • p4p3r (https://hackerone.com/p4p3r_hak)

References

Problem Types

  • CWE-407: Inefficient Algorithmic Complexity