CVE-2026-42507
Go Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-42507 is an error message injection vulnerability in Go's net/textproto standard library package. When returning errors, functions in this package include their input as part of the error message, allowing an attacker to inject misleading or arbitrary content into errors that are printed or logged. The vulnerability affects Go versions prior to 1.25.11 and 1.26.0–1.26.3 (fixed in 1.26.4). It was published on June 2, 2026, and carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, ENISA EUVD).

Técnicas

The root cause lies in insufficient sanitization of user-supplied input before it is embedded into error messages returned by functions in the net/textproto package, which handles text-based network protocol parsing (e.g., HTTP, SMTP, NNTP headers). This is classified as an insertion of sensitive or misleading information into log files (CWE-532 per community classification). An unauthenticated, remote attacker can craft malicious input — such as specially formatted HTTP or SMTP headers — that, when processed and rejected by the server, causes the resulting error message to contain attacker-controlled content. This content may then appear in application logs, error outputs, or user-facing messages, enabling log injection or log forgery attacks (GitHub Advisory, Go Issue, Go Vuln DB).

Impacto

The primary impact is an integrity violation: attackers can inject arbitrary, misleading content into error messages and application logs, potentially deceiving administrators or security monitoring systems into misinterpreting system state or masking malicious activity. There is no confidentiality or availability impact — the vulnerability does not expose sensitive data or cause service disruption. However, successful log injection could facilitate secondary attacks such as log forgery, covering tracks after a breach, or social engineering administrators through manipulated log output (GitHub Advisory, ENISA EUVD).

Pasos de explotación

  1. Identify target: Locate applications built with Go versions prior to 1.25.11 or 1.26.4 that use the net/textproto package for parsing network protocol headers (e.g., HTTP servers, SMTP handlers, or proxies).
  2. Craft malicious input: Construct a network request (e.g., HTTP request) containing headers or protocol fields with embedded newline characters (\r\n) or other control characters designed to inject additional log lines or misleading content.
  3. Send the request: Transmit the crafted request to the target service. The net/textproto parsing functions will reject the malformed input and generate an error message that includes the attacker-controlled input verbatim.
  4. Observe log injection: The error message — containing the injected content — is written to application logs or displayed in error outputs, causing false log entries (e.g., fake authentication success messages, spoofed IP addresses, or fabricated events) to appear alongside legitimate log data.
  5. Leverage for secondary objectives: Use the injected log entries to confuse incident responders, mask malicious activity, or manipulate log-based alerting systems (Go Issue, Go Vuln DB).

Indicadores de compromiso

  • Network: Inbound HTTP, SMTP, or other text-protocol requests containing unusual control characters (\r, \n, \0) or encoded variants within header fields or protocol lines.
  • Logs: Application log files containing unexpected or out-of-sequence log entries, duplicate timestamps, or entries with formatting inconsistent with the application's normal log structure — particularly in error log sections generated by net/textproto.
  • Logs: Error messages from Go applications referencing net/textproto that contain user-supplied strings with embedded newlines or special characters, potentially appearing as multi-line log entries from a single request.

Mitigación y soluciones alternativas

Update Go to version 1.25.11 or later (for the 1.25.x branch) or 1.26.4 or later (for the 1.26.x branch), which include the fix applied in change list CL 777060. Applications and downstream projects depending on the Go standard library should rebuild and redeploy using the patched Go toolchain. As a complementary measure, implement log sanitization or output encoding in application-level error handling to strip or escape control characters before writing to logs. Vendor advisories have been issued by Red Hat (RHSA-2026:23262), SUSE (SUSE-SU-2026:2326-1), and others for their Go packages (Go Announce, Red Hat, SUSE).

Reacciones de la comunidad

The Go team disclosed the vulnerability via the golang-announce mailing list and the Go vulnerability database (Go Announce, Go Vuln DB). Microsoft referenced the CVE in its June 2026 Patch Tuesday update guide, reflecting the broad reach of Go-based software in the ecosystem (Microsoft MSRC). Community discussion on Mastodon and security mailing lists (oss-sec) noted the relatively low severity but highlighted the importance of log integrity for security monitoring (oss-sec). Downstream projects such as rclone and oauth2-proxy have already released updated versions incorporating the patched Go runtime.

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Go Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
NoJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
NoJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
NoJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
NoJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
NoJun 02, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades