Primary

Context

Go net/mail Package Quadratic String Concatenation Vulnerability in Email Parsing

Vulnerability

Patched

A denial-of-service vulnerability has been identified in the net/mail package of Go. Pathological inputs can lead to excessive CPU consumption and memory allocation by causing quadratic string concatenation in the consumePhrase function. This issue arises when the function parses email addresses, as specified by RFC 5322. The vulnerability affects Go versions prior to 1.25.10, as well as versions from 1.26.0 up to but not including 1.26.3.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing excessive CPU usage and memory consumption.

Remediation

Users can upgrade to Go versions 1.26.3 or 1.25.10, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.

Added: May 7, 2026, 8:31 PM

Updated: May 7, 2026, 8:31 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

7.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

7.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go net/mail Package Quadratic String Concatenation Vulnerability in Email Parsing

Vulnerability

Impact

Remediation

Affected Products

golang

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating