Input Processing Flaw in Windows Affecting Go Language Functionality
CVE-2026-39836

Currently unrated

Key Information:

Vendor: Go Standard Library
Status: Net
Vendor: CVE Published:; 7 May 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-39836?

An input processing flaw has been identified in the Dial and LookupPort functions of the Go programming language used on Windows systems. This vulnerability arises when the functions receive input containing a NUL (0) character, leading to a panic condition that could disrupt application execution and compromise overall system stability. Developers utilizing Go on Windows should ensure they implement proper input validation to prevent such failures and maintain robust application performance.

Affected Version(s)

net 0 < 1.25.10

net 1.26.0-0 < 1.26.3

References

https://go.dev/issue/79006

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

https://go.dev/cl/775320

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39836 Data

JSON