String Length Overflow Vulnerability in NewNTUnicodeString by Golang
CVE-2026-39824

Currently unrated

Key Information:

Vendor: Golang.org/x/sys
Status: Golang.org/x/sys/windows
Vendor: CVE Published:; 22 May 2026

🔔 Create Golang.org/x/sys Vulnerability Alert

What is CVE-2026-39824?

The NewNTUnicodeString implementation in Golang has a vulnerability that allows for string length overflow. This issue arises when an input string exceeds the storage capacity allocated for a NTUnicodeString, which is defined by a 16-bit number of bytes. Instead of generating an error to signal the overflow condition, the function incorrectly returns a truncated string. This behavior can lead to unintended consequences in software execution, potentially allowing for data corruption or security breaches.

Affected Version(s)

golang.org/x/sys/windows windows 0 < 0.44.0

References

https://go.dev/issue/78916

https://go.dev/cl/770080

https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39824 Data

JSON