Launch Week Day 1: Announcing Security Design Review
Start for Free
UNKNOWN Go

Quadratic string concatentation in consumeComment in net/mail

GO-2026-4986 · BIT-golang-2026-39820 · CVE-2026-39820

Published · Modified

Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes