CPU Exhaustion and Memory Allocation Vulnerability in Go Programming Language
CVE-2026-39820

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Net/mail
Vendor: CVE Published:; 7 May 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-39820?

A vulnerability exists in the Go programming language that allows specially crafted inputs to functions such as ParseAddress, ParseAddressList, and ParseDate, leading to excessive CPU exhaustion and unwanted memory allocations. This can severely affect the performance of applications utilizing these functions, potentially causing a denial of service as systems become overwhelmed with resource demands.

Affected Version(s)

net/mail 0 < 1.25.10

net/mail 1.26.0-0 < 1.26.3

References

https://go.dev/issue/78566

https://go.dev/cl/759940

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

thatnealpatel

CVE-2026-39820 Data

JSON