
Cloud Vulnerability DB
コミュニティ主導の脆弱性データベース
CVE-2026-42504 is a Denial of Service vulnerability in the Go standard library's mime package, where decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU resources. It affects Go versions prior to 1.25.11 and versions 1.26.0 through 1.26.4 (exclusive). The vulnerability was published on June 2, 2026, and carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, ENISA EUVD).
The root cause is classified as CWE-407 (Inefficient Algorithmic Complexity) — the MIME header decoder in Go's standard library does not efficiently handle inputs containing large numbers of invalid encoded-words, leading to worst-case CPU consumption. An unauthenticated, remote attacker can exploit this by sending a specially crafted MIME header (e.g., in an email or HTTP request) to any application that uses Go's mime package for header decoding. No privileges or user interaction are required. The issue is tracked upstream at go.dev/issue/79217 and fixed via go.dev/cl/774481, with the vulnerability catalogued as GO-2026-5038 (GitHub Advisory, Go Vuln DB).
Successful exploitation causes excessive CPU consumption on the affected server, resulting in degraded performance or complete denial of service for applications relying on Go's mime package for MIME header processing. There is no confidentiality or integrity impact — the vulnerability is limited to availability. Applications such as email servers, HTTP proxies, and any Go-based service that parses MIME headers are potentially affected (GitHub Advisory, ENISA EUVD).
=?utf-8?Q?...?= sequences that are malformed), designed to trigger worst-case algorithmic complexity in the decoder.mime package attempts to decode each invalid encoded-word, consuming disproportionate CPU cycles and causing the service to become unresponsive or severely degraded (GitHub Advisory, Go Issue).=?charset?encoding?text?= patterns repeated hundreds or thousands of times).Upgrade to Go 1.25.11 or Go 1.26.4 (or later), which contain the fix for this vulnerability (go.dev/cl/774481). As a workaround, implement input validation and rate limiting on MIME header processing at the application or network layer to reduce exposure to maliciously crafted headers. Downstream distributions including SUSE, openSUSE, and Red Hat have released updated packages (SUSE Advisory, Red Hat Errata).
The Go team disclosed the vulnerability via the golang-announce mailing list and published a fix promptly (golang-announce). Multiple Linux distributions including SUSE, openSUSE, and Red Hat issued security advisories and updated packages shortly after disclosure. Microsoft also acknowledged the vulnerability in the context of Azure Linux/CBL-Mariner (MSRC). Community discussion on oss-sec and security forums noted the straightforward nature of the fix and the broad impact on any Go application processing MIME headers (oss-sec).
ソース: このレポートは AI を使用して生成されました
無料の脆弱性評価
9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。
パーソナライズされたデモを見る
"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"