
PEACH
Un cadre d’isolation des locataires
CVE-2026-42507 is an error message injection vulnerability in Go's net/textproto standard library package. When returning errors, functions in this package include their input as part of the error message, allowing an attacker to inject misleading or arbitrary content into errors that are printed or logged. The vulnerability affects Go versions prior to 1.25.11 and 1.26.0–1.26.3 (fixed in 1.26.4). It was published on June 2, 2026, and carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, ENISA EUVD).
The root cause lies in insufficient sanitization of user-supplied input before it is embedded into error messages returned by functions in the net/textproto package, which handles text-based network protocol parsing (e.g., HTTP, SMTP, NNTP headers). This is classified as an insertion of sensitive or misleading information into log files (CWE-532 per community classification). An unauthenticated, remote attacker can craft malicious input — such as specially formatted HTTP or SMTP headers — that, when processed and rejected by the server, causes the resulting error message to contain attacker-controlled content. This content may then appear in application logs, error outputs, or user-facing messages, enabling log injection or log forgery attacks (GitHub Advisory, Go Issue, Go Vuln DB).
The primary impact is an integrity violation: attackers can inject arbitrary, misleading content into error messages and application logs, potentially deceiving administrators or security monitoring systems into misinterpreting system state or masking malicious activity. There is no confidentiality or availability impact — the vulnerability does not expose sensitive data or cause service disruption. However, successful log injection could facilitate secondary attacks such as log forgery, covering tracks after a breach, or social engineering administrators through manipulated log output (GitHub Advisory, ENISA EUVD).
net/textproto package for parsing network protocol headers (e.g., HTTP servers, SMTP handlers, or proxies).\r\n) or other control characters designed to inject additional log lines or misleading content.net/textproto parsing functions will reject the malformed input and generate an error message that includes the attacker-controlled input verbatim.\r, \n, \0) or encoded variants within header fields or protocol lines.net/textproto.net/textproto that contain user-supplied strings with embedded newlines or special characters, potentially appearing as multi-line log entries from a single request.Update Go to version 1.25.11 or later (for the 1.25.x branch) or 1.26.4 or later (for the 1.26.x branch), which include the fix applied in change list CL 777060. Applications and downstream projects depending on the Go standard library should rebuild and redeploy using the patched Go toolchain. As a complementary measure, implement log sanitization or output encoding in application-level error handling to strip or escape control characters before writing to logs. Vendor advisories have been issued by Red Hat (RHSA-2026:23262), SUSE (SUSE-SU-2026:2326-1), and others for their Go packages (Go Announce, Red Hat, SUSE).
The Go team disclosed the vulnerability via the golang-announce mailing list and the Go vulnerability database (Go Announce, Go Vuln DB). Microsoft referenced the CVE in its June 2026 Patch Tuesday update guide, reflecting the broad reach of Go-based software in the ecosystem (Microsoft MSRC). Community discussion on Mastodon and security mailing lists (oss-sec) noted the relatively low severity but highlighted the importance of log integrity for security monitoring (oss-sec). Downstream projects such as rclone and oauth2-proxy have already released updated versions incorporating the patched Go runtime.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."