Primary

Context

Go LookupCNAME Double-Free Vulnerability in cgo DNS Resolver

Vulnerability

Patched

A double-free vulnerability in C memory has been identified in the Go programming language's standard library, specifically within the 'net' package. This issue arises when the 'LookupCNAME' function is used with the cgo DNS resolver, and a very long CNAME response is received. The vulnerability can lead to a crash by triggering a double-free of C memory, causing a memory management error that can be exploited to disrupt the normal operation of a program.

Impact

Exploitation of this vulnerability causes a crash due to a double-free of C memory, leading to a memory management error.

Remediation

Users can upgrade to Go versions 1.26.3 or 1.25.10, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.

Added: May 7, 2026, 9:08 PM

Updated: May 7, 2026, 9:08 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

7.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

7.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go LookupCNAME Double-Free Vulnerability in cgo DNS Resolver

Vulnerability

Impact

Remediation

Affected Products

golang

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating