Denial of Service in Go Programming Language's Email Parsing
CVE-2026-42499

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Net/mail
Vendor: CVE Published:; 7 May 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-42499?

The Go programming language contains a vulnerability where pathological inputs can lead to a Denial of Service (DoS) condition during the processing of email addresses. This occurs specifically through the consumePhrase function while parsing input in accordance with RFC 5322, which is essential for ensuring valid email formatting. Exploiting this vulnerability may disrupt services that rely on proper email address handling, highlighting the importance of applying patches and updates to mitigate such risks.

Affected Version(s)

net/mail 0 < 1.25.10

net/mail 1.26.0-0 < 1.26.3

References

https://go.dev/issue/78987

https://go.dev/cl/771520

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42499 Data

JSON