CVE-2026-42507
Go 脆弱性の分析と軽減

概要

CVE-2026-42507 is an error message injection vulnerability in Go's net/textproto standard library package. When returning errors, functions in this package include their input as part of the error message, allowing an attacker to inject misleading or arbitrary content into errors that are printed or logged. The vulnerability affects Go versions prior to 1.25.11 and 1.26.0–1.26.3 (fixed in 1.26.4). It was published on June 2, 2026, and carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, ENISA EUVD).

技術的な詳細

The root cause lies in insufficient sanitization of user-supplied input before it is embedded into error messages returned by functions in the net/textproto package, which handles text-based network protocol parsing (e.g., HTTP, SMTP, NNTP headers). This is classified as an insertion of sensitive or misleading information into log files (CWE-532 per community classification). An unauthenticated, remote attacker can craft malicious input — such as specially formatted HTTP or SMTP headers — that, when processed and rejected by the server, causes the resulting error message to contain attacker-controlled content. This content may then appear in application logs, error outputs, or user-facing messages, enabling log injection or log forgery attacks (GitHub Advisory, Go Issue, Go Vuln DB).

影響

The primary impact is an integrity violation: attackers can inject arbitrary, misleading content into error messages and application logs, potentially deceiving administrators or security monitoring systems into misinterpreting system state or masking malicious activity. There is no confidentiality or availability impact — the vulnerability does not expose sensitive data or cause service disruption. However, successful log injection could facilitate secondary attacks such as log forgery, covering tracks after a breach, or social engineering administrators through manipulated log output (GitHub Advisory, ENISA EUVD).

エクスプロイテーションのステップ

  1. Identify target: Locate applications built with Go versions prior to 1.25.11 or 1.26.4 that use the net/textproto package for parsing network protocol headers (e.g., HTTP servers, SMTP handlers, or proxies).
  2. Craft malicious input: Construct a network request (e.g., HTTP request) containing headers or protocol fields with embedded newline characters (\r\n) or other control characters designed to inject additional log lines or misleading content.
  3. Send the request: Transmit the crafted request to the target service. The net/textproto parsing functions will reject the malformed input and generate an error message that includes the attacker-controlled input verbatim.
  4. Observe log injection: The error message — containing the injected content — is written to application logs or displayed in error outputs, causing false log entries (e.g., fake authentication success messages, spoofed IP addresses, or fabricated events) to appear alongside legitimate log data.
  5. Leverage for secondary objectives: Use the injected log entries to confuse incident responders, mask malicious activity, or manipulate log-based alerting systems (Go Issue, Go Vuln DB).

妥協の兆候

  • Network: Inbound HTTP, SMTP, or other text-protocol requests containing unusual control characters (\r, \n, \0) or encoded variants within header fields or protocol lines.
  • Logs: Application log files containing unexpected or out-of-sequence log entries, duplicate timestamps, or entries with formatting inconsistent with the application's normal log structure — particularly in error log sections generated by net/textproto.
  • Logs: Error messages from Go applications referencing net/textproto that contain user-supplied strings with embedded newlines or special characters, potentially appearing as multi-line log entries from a single request.

軽減策と回避策

Update Go to version 1.25.11 or later (for the 1.25.x branch) or 1.26.4 or later (for the 1.26.x branch), which include the fix applied in change list CL 777060. Applications and downstream projects depending on the Go standard library should rebuild and redeploy using the patched Go toolchain. As a complementary measure, implement log sanitization or output encoding in application-level error handling to strip or escape control characters before writing to logs. Vendor advisories have been issued by Red Hat (RHSA-2026:23262), SUSE (SUSE-SU-2026:2326-1), and others for their Go packages (Go Announce, Red Hat, SUSE).

コミュニティの反応

The Go team disclosed the vulnerability via the golang-announce mailing list and the Go vulnerability database (Go Announce, Go Vuln DB). Microsoft referenced the CVE in its June 2026 Patch Tuesday update guide, reflecting the broad reach of Go-based software in the ecosystem (Microsoft MSRC). Community discussion on Mastodon and security mailing lists (oss-sec) noted the relatively low severity but highlighted the importance of log integrity for security monitoring (oss-sec). Downstream projects such as rclone and oauth2-proxy have already released updated versions incorporating the patched Go runtime.

関連情報


ソースこのレポートは AI を使用して生成されました

関連 Go 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
いいえはいJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
いいえはいJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
いいえはいJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
いいえはいJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
いいえはいJun 02, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者