CVE-2026-42507
Go Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-42507 is an error message injection vulnerability in Go's net/textproto standard library package. When returning errors, functions in this package include their input as part of the error message, allowing an attacker to inject misleading or arbitrary content into errors that are printed or logged. The vulnerability affects Go versions prior to 1.25.11 and 1.26.0–1.26.3 (fixed in 1.26.4). It was published on June 2, 2026, and carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, ENISA EUVD).

Detalhes técnicos

The root cause lies in insufficient sanitization of user-supplied input before it is embedded into error messages returned by functions in the net/textproto package, which handles text-based network protocol parsing (e.g., HTTP, SMTP, NNTP headers). This is classified as an insertion of sensitive or misleading information into log files (CWE-532 per community classification). An unauthenticated, remote attacker can craft malicious input — such as specially formatted HTTP or SMTP headers — that, when processed and rejected by the server, causes the resulting error message to contain attacker-controlled content. This content may then appear in application logs, error outputs, or user-facing messages, enabling log injection or log forgery attacks (GitHub Advisory, Go Issue, Go Vuln DB).

Impacto

The primary impact is an integrity violation: attackers can inject arbitrary, misleading content into error messages and application logs, potentially deceiving administrators or security monitoring systems into misinterpreting system state or masking malicious activity. There is no confidentiality or availability impact — the vulnerability does not expose sensitive data or cause service disruption. However, successful log injection could facilitate secondary attacks such as log forgery, covering tracks after a breach, or social engineering administrators through manipulated log output (GitHub Advisory, ENISA EUVD).

Etapas de exploração

  1. Identify target: Locate applications built with Go versions prior to 1.25.11 or 1.26.4 that use the net/textproto package for parsing network protocol headers (e.g., HTTP servers, SMTP handlers, or proxies).
  2. Craft malicious input: Construct a network request (e.g., HTTP request) containing headers or protocol fields with embedded newline characters (\r\n) or other control characters designed to inject additional log lines or misleading content.
  3. Send the request: Transmit the crafted request to the target service. The net/textproto parsing functions will reject the malformed input and generate an error message that includes the attacker-controlled input verbatim.
  4. Observe log injection: The error message — containing the injected content — is written to application logs or displayed in error outputs, causing false log entries (e.g., fake authentication success messages, spoofed IP addresses, or fabricated events) to appear alongside legitimate log data.
  5. Leverage for secondary objectives: Use the injected log entries to confuse incident responders, mask malicious activity, or manipulate log-based alerting systems (Go Issue, Go Vuln DB).

Indicadores de compromisso

  • Network: Inbound HTTP, SMTP, or other text-protocol requests containing unusual control characters (\r, \n, \0) or encoded variants within header fields or protocol lines.
  • Logs: Application log files containing unexpected or out-of-sequence log entries, duplicate timestamps, or entries with formatting inconsistent with the application's normal log structure — particularly in error log sections generated by net/textproto.
  • Logs: Error messages from Go applications referencing net/textproto that contain user-supplied strings with embedded newlines or special characters, potentially appearing as multi-line log entries from a single request.

Mitigação e soluções alternativas

Update Go to version 1.25.11 or later (for the 1.25.x branch) or 1.26.4 or later (for the 1.26.x branch), which include the fix applied in change list CL 777060. Applications and downstream projects depending on the Go standard library should rebuild and redeploy using the patched Go toolchain. As a complementary measure, implement log sanitization or output encoding in application-level error handling to strip or escape control characters before writing to logs. Vendor advisories have been issued by Red Hat (RHSA-2026:23262), SUSE (SUSE-SU-2026:2326-1), and others for their Go packages (Go Announce, Red Hat, SUSE).

Reações da comunidade

The Go team disclosed the vulnerability via the golang-announce mailing list and the Go vulnerability database (Go Announce, Go Vuln DB). Microsoft referenced the CVE in its June 2026 Patch Tuesday update guide, reflecting the broad reach of Go-based software in the ecosystem (Microsoft MSRC). Community discussion on Mastodon and security mailing lists (oss-sec) noted the relatively low severity but highlighted the importance of log integrity for security monitoring (oss-sec). Downstream projects such as rclone and oauth2-proxy have already released updated versions incorporating the patched Go runtime.

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado Go Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
NãoSimJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
NãoSimJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
NãoSimJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
NãoSimJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
NãoSimJun 02, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades