CVE-2026-42507
Go Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-42507 is an error message injection vulnerability in Go's net/textproto standard library package. When returning errors, functions in this package include their input as part of the error message, allowing an attacker to inject misleading or arbitrary content into errors that are printed or logged. The vulnerability affects Go versions prior to 1.25.11 and 1.26.0–1.26.3 (fixed in 1.26.4). It was published on June 2, 2026, and carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, ENISA EUVD).

Détails techniques

The root cause lies in insufficient sanitization of user-supplied input before it is embedded into error messages returned by functions in the net/textproto package, which handles text-based network protocol parsing (e.g., HTTP, SMTP, NNTP headers). This is classified as an insertion of sensitive or misleading information into log files (CWE-532 per community classification). An unauthenticated, remote attacker can craft malicious input — such as specially formatted HTTP or SMTP headers — that, when processed and rejected by the server, causes the resulting error message to contain attacker-controlled content. This content may then appear in application logs, error outputs, or user-facing messages, enabling log injection or log forgery attacks (GitHub Advisory, Go Issue, Go Vuln DB).

Impact

The primary impact is an integrity violation: attackers can inject arbitrary, misleading content into error messages and application logs, potentially deceiving administrators or security monitoring systems into misinterpreting system state or masking malicious activity. There is no confidentiality or availability impact — the vulnerability does not expose sensitive data or cause service disruption. However, successful log injection could facilitate secondary attacks such as log forgery, covering tracks after a breach, or social engineering administrators through manipulated log output (GitHub Advisory, ENISA EUVD).

Étapes d’exploitation

  1. Identify target: Locate applications built with Go versions prior to 1.25.11 or 1.26.4 that use the net/textproto package for parsing network protocol headers (e.g., HTTP servers, SMTP handlers, or proxies).
  2. Craft malicious input: Construct a network request (e.g., HTTP request) containing headers or protocol fields with embedded newline characters (\r\n) or other control characters designed to inject additional log lines or misleading content.
  3. Send the request: Transmit the crafted request to the target service. The net/textproto parsing functions will reject the malformed input and generate an error message that includes the attacker-controlled input verbatim.
  4. Observe log injection: The error message — containing the injected content — is written to application logs or displayed in error outputs, causing false log entries (e.g., fake authentication success messages, spoofed IP addresses, or fabricated events) to appear alongside legitimate log data.
  5. Leverage for secondary objectives: Use the injected log entries to confuse incident responders, mask malicious activity, or manipulate log-based alerting systems (Go Issue, Go Vuln DB).

Indicateurs de compromis

  • Network: Inbound HTTP, SMTP, or other text-protocol requests containing unusual control characters (\r, \n, \0) or encoded variants within header fields or protocol lines.
  • Logs: Application log files containing unexpected or out-of-sequence log entries, duplicate timestamps, or entries with formatting inconsistent with the application's normal log structure — particularly in error log sections generated by net/textproto.
  • Logs: Error messages from Go applications referencing net/textproto that contain user-supplied strings with embedded newlines or special characters, potentially appearing as multi-line log entries from a single request.

Atténuation et solutions de contournement

Update Go to version 1.25.11 or later (for the 1.25.x branch) or 1.26.4 or later (for the 1.26.x branch), which include the fix applied in change list CL 777060. Applications and downstream projects depending on the Go standard library should rebuild and redeploy using the patched Go toolchain. As a complementary measure, implement log sanitization or output encoding in application-level error handling to strip or escape control characters before writing to logs. Vendor advisories have been issued by Red Hat (RHSA-2026:23262), SUSE (SUSE-SU-2026:2326-1), and others for their Go packages (Go Announce, Red Hat, SUSE).

Réactions de la communauté

The Go team disclosed the vulnerability via the golang-announce mailing list and the Go vulnerability database (Go Announce, Go Vuln DB). Microsoft referenced the CVE in its June 2026 Patch Tuesday update guide, reflecting the broad reach of Go-based software in the ecosystem (Microsoft MSRC). Community discussion on Mastodon and security mailing lists (oss-sec) noted the relatively low severity but highlighted the importance of log integrity for security monitoring (oss-sec). Downstream projects such as rclone and oauth2-proxy have already released updated versions incorporating the patched Go runtime.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Go Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
NonOuiJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
NonOuiJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
NonOuiJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
NonOuiJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
NonOuiJun 02, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités