CVE-2026-39820 Quadratic string concatentation in consumeComment in net/mail

🗓️ 07 May 2026 19:41:19Reported by GoType

CVE-2026-39820 causes CPU exhaustion from quadratic string concatenation in consumeComment.

Reporter	Title	Published	Views	Family All 1030
ATTACKERKB	CVE-2026-39820	7 May 202619:41	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : runc (ALAS2023-2026-1715)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : yq (ALAS2023-2026-1716)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : rclone (ALAS2023-2026-1717)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : captree, libcap, libcap-devel (ALAS2023-2026-1721)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : git-lfs (ALAS2023-2026-1722)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : cni-plugins (ALAS2023-2026-1723)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : nerdctl (ALAS2023-2026-1735)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : docker (ALAS2023-2026-1736)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2026-1737)	27 May 202600:00	–	nessus

[
  {
    "vendor": "Go standard library",
    "product": "net/mail",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "net/mail",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.25.10",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.26.0-0",
        "lessThan": "1.26.3",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "addrParser.consumeComment"
      },
      {
        "name": "AddressParser.Parse"
      },
      {
        "name": "AddressParser.ParseList"
      },
      {
        "name": "Header.AddressList"
      },
      {
        "name": "Header.Date"
      },
      {
        "name": "ParseAddress"
      },
      {
        "name": "ParseAddressList"
      },
      {
        "name": "ParseDate"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
go	www.go.dev/issue/78566
go	www.go.dev/cl/759940
groups	www.groups.google.com/g/golang-announce/c/qcCIEXso47M
pkg	www.pkg.go.dev/vuln/GO-2026-4986

07 May 2026 19:41Current

EPSS0.00369