Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

GO-2026-5024 · CVE-2026-39824

Published May 22, 2026 · Modified Jun 9, 2026

Description

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

References

REPORT https://go.dev/issue/78916
FIX https://go.dev/cl/770080
WEB https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes