CVE-2026-42504
Go Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-42504 is a Denial of Service vulnerability in the Go standard library's mime package, where decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU resources. It affects Go versions prior to 1.25.11 and versions 1.26.0 through 1.26.4 (exclusive). The vulnerability was published on June 2, 2026, and carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, ENISA EUVD).

Técnicas

The root cause is classified as CWE-407 (Inefficient Algorithmic Complexity) — the MIME header decoder in Go's standard library does not efficiently handle inputs containing large numbers of invalid encoded-words, leading to worst-case CPU consumption. An unauthenticated, remote attacker can exploit this by sending a specially crafted MIME header (e.g., in an email or HTTP request) to any application that uses Go's mime package for header decoding. No privileges or user interaction are required. The issue is tracked upstream at go.dev/issue/79217 and fixed via go.dev/cl/774481, with the vulnerability catalogued as GO-2026-5038 (GitHub Advisory, Go Vuln DB).

Impacto

Successful exploitation causes excessive CPU consumption on the affected server, resulting in degraded performance or complete denial of service for applications relying on Go's mime package for MIME header processing. There is no confidentiality or integrity impact — the vulnerability is limited to availability. Applications such as email servers, HTTP proxies, and any Go-based service that parses MIME headers are potentially affected (GitHub Advisory, ENISA EUVD).

Pasos de explotación

  1. Identify target: Locate internet-facing services built with Go (versions < 1.25.11 or 1.26.0–1.26.3) that accept and process MIME headers, such as email gateways, HTTP APIs, or mail processing applications.
  2. Craft malicious MIME header: Construct a MIME header containing a large number of invalid RFC 2047 encoded-words (e.g., =?utf-8?Q?...?= sequences that are malformed), designed to trigger worst-case algorithmic complexity in the decoder.
  3. Deliver the payload: Send the crafted header to the target service — for example, as an email message header to a Go-based mail server, or as an HTTP header to a Go-based web application that parses MIME content.
  4. Trigger CPU exhaustion: The Go mime package attempts to decode each invalid encoded-word, consuming disproportionate CPU cycles and causing the service to become unresponsive or severely degraded (GitHub Advisory, Go Issue).

Indicadores de compromiso

  • Network: Unusual or repeated inbound requests/emails containing MIME headers with abnormally large numbers of encoded-word sequences (e.g., =?charset?encoding?text?= patterns repeated hundreds or thousands of times).
  • System: Sustained high CPU utilization on Go-based application servers without a corresponding increase in legitimate traffic volume; Go runtime processes consuming near 100% CPU for extended periods.
  • Logs: Application logs showing slow or timed-out MIME header parsing operations; increased error rates or timeouts in mail or HTTP processing pipelines.
  • Process: Go application processes becoming unresponsive or triggering watchdog/health-check failures during periods of crafted header ingestion (GitHub Advisory).

Mitigación y soluciones alternativas

Upgrade to Go 1.25.11 or Go 1.26.4 (or later), which contain the fix for this vulnerability (go.dev/cl/774481). As a workaround, implement input validation and rate limiting on MIME header processing at the application or network layer to reduce exposure to maliciously crafted headers. Downstream distributions including SUSE, openSUSE, and Red Hat have released updated packages (SUSE Advisory, Red Hat Errata).

Reacciones de la comunidad

The Go team disclosed the vulnerability via the golang-announce mailing list and published a fix promptly (golang-announce). Multiple Linux distributions including SUSE, openSUSE, and Red Hat issued security advisories and updated packages shortly after disclosure. Microsoft also acknowledged the vulnerability in the context of Azure Linux/CBL-Mariner (MSRC). Community discussion on oss-sec and security forums noted the straightforward nature of the fix and the broad impact on any Go application processing MIME headers (oss-sec).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Go Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
NoJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
NoJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
NoJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
NoJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
NoJun 02, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades