BIT-GOLANG-2026-42499 Quadratic string concatenation in consumePhrase in net/mail

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322...

CVE-2026-39820

CVE-2026-39820 relates to the Go net/mail package, specifically a quadratic string concatenation in the consumeComment path. This root cause can cause excessive CPU usage and memory allocations when parsing crafted inputs through functions like ParseAddress, ParseAddressList, and ParseDate. The p...

CVE-2026-39820 Quadratic string concatentation in consumeComment in net/mail

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations...

CVE-2026-42499

CVE-2026-42499 affects the net/mail package’s consumePhrase routine, where pathological inputs can trigger DoS due to quadratic string concatenation when parsing RFC 5322 email addresses. This is documented across multiple feeds (NVD, CVE list, Debian, CIRCL, OSV GO-2026-4977, vulnrichment), indi...

CVE-2026-42499 Quadratic string concatenation in consumePhrase in net/mail

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322...