CVE-2026-42499 Quadratic string concatenation in consumePhrase in net/mail

🗓️ 07 May 2026 19:41:18Reported by GoType

CVE-2026-42499: Quadratic string concat in net/mail consumePhrase may cause DoS during RFC 5322 email parsing.

Reporter	Title	Published	Views	Family All 1029
ATTACKERKB	CVE-2026-42499	7 May 202619:41	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : runc (ALAS2023-2026-1715)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : yq (ALAS2023-2026-1716)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : rclone (ALAS2023-2026-1717)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : captree, libcap, libcap-devel (ALAS2023-2026-1721)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : git-lfs (ALAS2023-2026-1722)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : cni-plugins (ALAS2023-2026-1723)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : nerdctl (ALAS2023-2026-1735)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : docker (ALAS2023-2026-1736)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2026-1737)	27 May 202600:00	–	nessus

[
  {
    "vendor": "Go standard library",
    "product": "net/mail",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "net/mail",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.25.10",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.26.0-0",
        "lessThan": "1.26.3",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "addrParser.consumePhrase"
      },
      {
        "name": "AddressParser.Parse"
      },
      {
        "name": "AddressParser.ParseList"
      },
      {
        "name": "Header.AddressList"
      },
      {
        "name": "ParseAddress"
      },
      {
        "name": "ParseAddressList"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
pkg	www.pkg.go.dev/vuln/GO-2026-4977
go	www.go.dev/cl/771520
groups	www.groups.google.com/g/golang-announce/c/qcCIEXso47M
go	www.go.dev/issue/78987

07 May 2026 19:41Current

EPSS0.00024