Input Processing Flaw in Windows Affecting Go Language Functionality
CVE-2026-39836

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Net
Vendor: CVE Published:; 7 May 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-39836?

An input processing flaw has been identified in the Dial and LookupPort functions of the Go programming language used on Windows systems. This vulnerability arises when the functions receive input containing a NUL (0) character, leading to a panic condition that could disrupt application execution and compromise overall system stability. Developers utilizing Go on Windows should ensure they implement proper input validation to prevent such failures and maintain robust application performance.

Affected Version(s)

net 0 < 1.25.10

net 1.26.0-0 < 1.26.3

References

https://go.dev/issue/79006

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

https://go.dev/cl/775320

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39836 Data

JSON