CVE-2026-39820 (GCVE-0-2026-39820)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-06-30 02:41
VLAI
Title
Quadratic string concatentation in consumeComment in net/mail
Summary
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-407 - Inefficient Algorithmic Complexity
  • CWE-606 - Unchecked Input for Loop Condition
Assigner
Go
References
Impacted products
Vendor Product Version
Go standard library net/mail Affected: 0 , < 1.25.10 (semver)
Affected: 1.26.0-0 , < 1.26.3 (semver)
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3.0     cpe:/a:redhat:service_mesh:3.0::el9
 Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3.1     cpe:/a:redhat:service_mesh:3.1::el9
 Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3.2     cpe:/a:redhat:service_mesh:3.2::el9
 Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3.3     cpe:/a:redhat:service_mesh:3.3::el9
 Create a notification for this product.
Red Hat Assisted Installer for Red Hat OpenShift Container Platform 2     cpe:/a:redhat:assisted_installer:2
 Create a notification for this product.
Red Hat cert-manager Operator for Red Hat OpenShift     cpe:/a:redhat:cert_manager:1
 Create a notification for this product.
Red Hat Confidential Compute Attestation     cpe:/a:redhat:confidential_compute_attestation:1
 Create a notification for this product.
Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
 Create a notification for this product.
Red Hat Custom Metric Autoscaler operator for Red Hat Openshift     cpe:/a:redhat:openshift_custom_metrics_autoscaler:2
 Create a notification for this product.
Red Hat External Secrets Operator for Red Hat OpenShift     cpe:/a:redhat:external_secrets_operator:1
 Create a notification for this product.
Red Hat File Integrity Operator     cpe:/a:redhat:openshift_file_integrity_operator:1
 Create a notification for this product.
Red Hat Logging Subsystem for Red Hat OpenShift     cpe:/a:redhat:logging:6
 Create a notification for this product.
Red Hat Logical Volume Manager Storage     cpe:/a:redhat:lvms:4
 Create a notification for this product.
Red Hat Migration Toolkit for Applications 8     cpe:/a:redhat:migration_toolkit_applications:8
 Create a notification for this product.
Red Hat Migration Toolkit for Containers     cpe:/a:redhat:rhmt:1
 Create a notification for this product.
Red Hat Multiarch Tuning Operator     cpe:/a:redhat:multiarch_tuning_operator
 Create a notification for this product.
Red Hat Network Observability Operator     cpe:/a:redhat:network_observ_optr:1
 Create a notification for this product.
Red Hat OpenShift API for Data Protection     cpe:/a:redhat:openshift_api_data_protection:1
 Create a notification for this product.
Red Hat OpenShift Developer Tools and Services     cpe:/a:redhat:ocp_tools
 Create a notification for this product.
Red Hat OpenShift Lightspeed     cpe:/a:redhat:openshift_lightspeed
 Create a notification for this product.
Red Hat OpenShift Pipelines     cpe:/a:redhat:openshift_pipelines:1
 Create a notification for this product.
Red Hat OpenShift Serverless     cpe:/a:redhat:serverless:1
 Create a notification for this product.
Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
 Create a notification for this product.
Red Hat OpenShift Service Mesh 3     cpe:/a:redhat:service_mesh:3
 Create a notification for this product.
Red Hat Power monitoring for Red Hat OpenShift     cpe:/a:redhat:openshift_power_monitoring
 Create a notification for this product.
Red Hat Red Hat Advanced Cluster Security 4     cpe:/a:redhat:advanced_cluster_security:4
 Create a notification for this product.
Red Hat Red Hat Ceph Storage 5     cpe:/a:redhat:ceph_storage:5
 Create a notification for this product.
Red Hat Red Hat Ceph Storage 6     cpe:/a:redhat:ceph_storage:6
 Create a notification for this product.
Red Hat Red Hat Ceph Storage 9     cpe:/a:redhat:ceph_storage:9
 Create a notification for this product.
Red Hat Red Hat Certification Program for Red Hat Enterprise Linux 9     cpe:/a:redhat:certifications:9
 Create a notification for this product.
Red Hat Red Hat Developer Hub     cpe:/a:redhat:rhdh:1
 Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
 Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
 Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
 Create a notification for this product.
Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
 Create a notification for this product.
Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
 Create a notification for this product.
Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
 Create a notification for this product.
Red Hat Red Hat OpenShift Cluster Manager CLI     cpe:/a:redhat:openshift_cluster_manager_cli:1
 Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
 Create a notification for this product.
Red Hat Red Hat Openshift Data Foundation 4     cpe:/a:redhat:openshift_data_foundation:4
 Create a notification for this product.
Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
 Create a notification for this product.
Red Hat Red Hat OpenShift Dev Workspaces Operator     cpe:/a:redhat:devworkspace
 Create a notification for this product.
Red Hat Red Hat OpenShift distributed tracing 3     cpe:/a:redhat:openshift_distributed_tracing:3
 Create a notification for this product.
Red Hat Red Hat OpenShift for Windows Containers     cpe:/a:redhat:windows_machine_config
 Create a notification for this product.
Red Hat Red Hat OpenShift GitOps     cpe:/a:redhat:openshift_gitops:1
 Create a notification for this product.
Red Hat Red Hat OpenShift Virtualization 4     cpe:/a:redhat:container_native_virtualization:4
 Create a notification for this product.
Red Hat Red Hat OpenStack Platform 18.0     cpe:/a:redhat:openstack:18.0
 Create a notification for this product.
Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
 Create a notification for this product.
Red Hat Red Hat Service Interconnect 1     cpe:/a:redhat:service_interconnect:1
 Create a notification for this product.
Red Hat Red Hat Service Interconnect 2     cpe:/a:redhat:service_interconnect:2
 Create a notification for this product.
Red Hat Red Hat Trusted Artifact Signer     cpe:/a:redhat:trusted_artifact_signer:1
 Create a notification for this product.
Red Hat Security Profiles Operator     cpe:/a:redhat:openshift_security_profiles_operator:1
 Create a notification for this product.
Red Hat Zero Trust Workload Identity Manager     cpe:/a:redhat:zero_trust_workload_identity_manager:1
 Create a notification for this product.
Red Hat Zero Trust Workload Identity Manager - Tech Preview     cpe:/a:redhat:zero_trust_workload_identity_manager:0
 Create a notification for this product.
Red Hat Red Hat OpenStack Platform 16.2     cpe:/a:redhat:openstack:16.2
 Create a notification for this product.
Red Hat Red Hat OpenStack Platform 17.1     cpe:/a:redhat:openstack:17.1
 Create a notification for this product.
Red Hat Gatekeeper 3     cpe:/a:redhat:gatekeeper:3
 Create a notification for this product.
Red Hat Multicluster Engine for Kubernetes     cpe:/a:redhat:multicluster_engine
 Create a notification for this product.
Red Hat Multicluster Global Hub     cpe:/a:redhat:multicluster_globalhub
 Create a notification for this product.
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2     cpe:/a:redhat:acm:2
 Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
 Create a notification for this product.
Red Hat Red Hat Edge Manager 1     cpe:/a:redhat:edge_manager:1
 Create a notification for this product.
Red Hat Red Hat Lightspeed for Runtimes Operator     cpe:/a:redhat:lightspeed_for_runtimes:1
 Create a notification for this product.
Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
 Create a notification for this product.
Credits
thatnealpatel
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39820",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T14:27:51.595266Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T14:27:54.923Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.0::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Service Mesh 3.0",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.1::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Service Mesh 3.1",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.2::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Service Mesh 3.2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.3::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Service Mesh 3.3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:assisted_installer:2"
            ],
            "defaultStatus": "affected",
            "product": "Assisted Installer for Red Hat OpenShift Container Platform 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:cert_manager:1"
            ],
            "defaultStatus": "affected",
            "product": "cert-manager Operator for Red Hat OpenShift",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:confidential_compute_attestation:1"
            ],
            "defaultStatus": "affected",
            "product": "Confidential Compute Attestation",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:cryostat:4"
            ],
            "defaultStatus": "affected",
            "product": "Cryostat 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2"
            ],
            "defaultStatus": "affected",
            "product": "Custom Metric Autoscaler operator for Red Hat Openshift",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:external_secrets_operator:1"
            ],
            "defaultStatus": "affected",
            "product": "External Secrets Operator for Red Hat OpenShift",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_file_integrity_operator:1"
            ],
            "defaultStatus": "affected",
            "product": "File Integrity Operator",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:logging:6"
            ],
            "defaultStatus": "affected",
            "product": "Logging Subsystem for Red Hat OpenShift",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:lvms:4"
            ],
            "defaultStatus": "affected",
            "product": "Logical Volume Manager Storage",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:migration_toolkit_applications:8"
            ],
            "defaultStatus": "affected",
            "product": "Migration Toolkit for Applications 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhmt:1"
            ],
            "defaultStatus": "affected",
            "product": "Migration Toolkit for Containers",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multiarch_tuning_operator"
            ],
            "defaultStatus": "affected",
            "product": "Multiarch Tuning Operator",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:network_observ_optr:1"
            ],
            "defaultStatus": "affected",
            "product": "Network Observability Operator",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_api_data_protection:1"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift API for Data Protection",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ocp_tools"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Developer Tools and Services",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_lightspeed"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Lightspeed",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_pipelines:1"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Pipelines",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:2"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Service Mesh 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_power_monitoring"
            ],
            "defaultStatus": "affected",
            "product": "Power monitoring for Red Hat OpenShift",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:advanced_cluster_security:4"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Advanced Cluster Security 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ceph_storage:5"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ceph Storage 5",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ceph_storage:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ceph Storage 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ceph_storage:9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ceph Storage 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:certifications:9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Certification Program for Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhdh:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Developer Hub",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_cluster_manager_cli:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Cluster Manager CLI",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Container Platform 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_data_foundation:4"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Openshift Data Foundation 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Dev Spaces",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:devworkspace"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Dev Workspaces Operator",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_distributed_tracing:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift distributed tracing 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:windows_machine_config"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift for Windows Containers",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_gitops:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift GitOps",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Virtualization 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openstack:18.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenStack Platform 18.0",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_interconnect:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Service Interconnect 1",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_interconnect:2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Service Interconnect 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:trusted_artifact_signer:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Trusted Artifact Signer",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_security_profiles_operator:1"
            ],
            "defaultStatus": "affected",
            "product": "Security Profiles Operator",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:zero_trust_workload_identity_manager:1"
            ],
            "defaultStatus": "affected",
            "product": "Zero Trust Workload Identity Manager",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:zero_trust_workload_identity_manager:0"
            ],
            "defaultStatus": "affected",
            "product": "Zero Trust Workload Identity Manager - Tech Preview",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openstack:16.2"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat OpenStack Platform 16.2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openstack:17.1"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat OpenStack Platform 17.1",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:gatekeeper:3"
            ],
            "defaultStatus": "unknown",
            "product": "Gatekeeper 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_engine"
            ],
            "defaultStatus": "unknown",
            "product": "Multicluster Engine for Kubernetes",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_globalhub"
            ],
            "defaultStatus": "unknown",
            "product": "Multicluster Global Hub",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:acm:2"
            ],
            "defaultStatus": "unknown",
            "product": "Red Hat Advanced Cluster Management for Kubernetes 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "unknown",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:edge_manager:1"
            ],
            "defaultStatus": "unknown",
            "product": "Red Hat Edge Manager 1",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:lightspeed_for_runtimes:1"
            ],
            "defaultStatus": "unknown",
            "product": "Red Hat Lightspeed for Runtimes Operator",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:satellite:6"
            ],
            "defaultStatus": "unknown",
            "product": "Red Hat Satellite 6",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-07T19:41:19.854Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in the `net/mail` package of the Go programming language. An attacker could provide specially crafted inputs to the `ParseAddress`, `ParseAddressList`, or `ParseDate` functions. This could lead to excessive consumption of CPU and memory resources, resulting in a Denial of Service (DoS) for applications processing these inputs."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-606",
                "description": "Unchecked Input for Loop Condition",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T02:41:36.977Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-39820"
          },
          {
            "name": "RHBZ#2467820",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467820"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39820.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33120"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33123"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33142"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33150"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:33120: Red Hat OpenShift Service Mesh 3.0"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-07T20:01:27.800Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-07T19:41:19.854Z",
            "value": "Made public."
          }
        ],
        "title": "net/mail: golang: Go net/mail: Denial of Service via crafted email inputs",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/mail",
          "product": "net/mail",
          "programRoutines": [
            {
              "name": "addrParser.consumeComment"
            },
            {
              "name": "AddressParser.Parse"
            },
            {
              "name": "AddressParser.ParseList"
            },
            {
              "name": "Header.AddressList"
            },
            {
              "name": "Header.Date"
            },
            {
              "name": "ParseAddress"
            },
            {
              "name": "ParseAddressList"
            },
            {
              "name": "ParseDate"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "thatnealpatel"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:19.854Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/78566"
        },
        {
          "url": "https://go.dev/cl/759940"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4986"
        }
      ],
      "title": "Quadratic string concatentation in consumeComment in net/mail"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39820",
    "datePublished": "2026-05-07T19:41:19.854Z",
    "dateReserved": "2026-04-07T18:13:03.526Z",
    "dateUpdated": "2026-06-30T02:41:36.977Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-39820",
      "date": "2026-06-29",
      "epss": "0.00486",
      "percentile": "0.38207"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-39820\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2026-05-07T20:16:43.187\",\"lastModified\":\"2026-06-30T03:19:05.687\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.\"}],\"affected\":[{\"source\":\"security@golang.org\",\"affectedData\":[{\"vendor\":\"Go standard library\",\"product\":\"net/mail\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://pkg.go.dev\",\"packageName\":\"net/mail\",\"programRoutines\":[{\"name\":\"addrParser.consumeComment\"},{\"name\":\"AddressParser.Parse\"},{\"name\":\"AddressParser.ParseList\"},{\"name\":\"Header.AddressList\"},{\"name\":\"Header.Date\"},{\"name\":\"ParseAddress\"},{\"name\":\"ParseAddressList\"},{\"name\":\"ParseDate\"}],\"versions\":[{\"version\":\"0\",\"lessThan\":\"1.25.10\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"1.26.0-0\",\"lessThan\":\"1.26.3\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.0\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.0::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.1\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.1::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.2::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.3::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Assisted Installer for Red Hat OpenShift Container Platform 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:assisted_installer:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"cert-manager Operator for Red Hat OpenShift\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:cert_manager:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Confidential Compute Attestation\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:confidential_compute_attestation:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Cryostat 4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:cryostat:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Custom Metric Autoscaler operator for Red Hat Openshift\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_custom_metrics_autoscaler:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"External Secrets Operator for Red Hat OpenShift\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:external_secrets_operator:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"File Integrity Operator\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_file_integrity_operator:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Logging Subsystem for Red Hat OpenShift\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:logging:6\"]},{\"vendor\":\"Red Hat\",\"product\":\"Logical Volume Manager Storage\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:lvms:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Migration Toolkit for Applications 8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:migration_toolkit_applications:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Migration Toolkit for Containers\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhmt:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multiarch Tuning Operator\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multiarch_tuning_operator\"]},{\"vendor\":\"Red Hat\",\"product\":\"Network Observability Operator\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:network_observ_optr:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift API for Data Protection\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_api_data_protection:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Lightspeed\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_lightspeed\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Pipelines\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_pipelines:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Serverless\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:serverless:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Service Mesh 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Service Mesh 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Power monitoring for Red Hat OpenShift\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_power_monitoring\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Security 4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:advanced_cluster_security:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ceph Storage 5\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ceph_storage:5\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ceph Storage 6\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ceph_storage:6\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ceph Storage 9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ceph_storage:9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Certification Program for Red Hat Enterprise Linux 9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:certifications:9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Developer Hub\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhdh:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 10\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AI (RHEL AI) 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux_ai:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Hardened Images\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:hummingbird:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Cluster Manager CLI\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_cluster_manager_cli:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Openshift Data Foundation 4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_data_foundation:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Dev Spaces\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_devspaces:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Dev Workspaces Operator\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:devworkspace\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift distributed tracing 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_distributed_tracing:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift for Windows Containers\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:windows_machine_config\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Virtualization 4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:container_native_virtualization:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenStack Platform 18.0\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openstack:18.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Service Interconnect 1\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_interconnect:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Service Interconnect 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_interconnect:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Trusted Artifact Signer\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:trusted_artifact_signer:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Security Profiles Operator\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_security_profiles_operator:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Zero Trust Workload Identity Manager\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:zero_trust_workload_identity_manager:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Zero Trust Workload Identity Manager - Tech Preview\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:zero_trust_workload_identity_manager:0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenStack Platform 16.2\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:openstack:16.2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenStack Platform 17.1\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:openstack:17.1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Gatekeeper 3\",\"defaultStatus\":\"unknown\",\"cpes\":[\"cpe:/a:redhat:gatekeeper:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Engine for Kubernetes\",\"defaultStatus\":\"unknown\",\"cpes\":[\"cpe:/a:redhat:multicluster_engine\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub\",\"defaultStatus\":\"unknown\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Management for Kubernetes 2\",\"defaultStatus\":\"unknown\",\"cpes\":[\"cpe:/a:redhat:acm:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"unknown\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Edge Manager 1\",\"defaultStatus\":\"unknown\",\"cpes\":[\"cpe:/a:redhat:edge_manager:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Lightspeed for Runtimes Operator\",\"defaultStatus\":\"unknown\",\"cpes\":[\"cpe:/a:redhat:lightspeed_for_runtimes:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Satellite 6\",\"defaultStatus\":\"unknown\",\"cpes\":[\"cpe:/a:redhat:satellite:6\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-05-08T14:27:51.595266Z\",\"id\":\"CVE-2026-39820\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-606\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.25.10\",\"matchCriteriaId\":\"1C966EF3-C51C-4239-B5FC-C44A5202FEC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.26.0\",\"versionEndExcluding\":\"1.26.3\",\"matchCriteriaId\":\"522E4CD0-2B99-4363-9C78-0BAFD988A2D6\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/759940\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/78566\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/qcCIEXso47M\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\",\"Mailing List\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2026-4986\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33120\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33123\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33142\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33150\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-39820\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2467820\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39820.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39820\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-08T14:27:51.595266Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-08T14:27:47.966Z\"}}], \"cna\": {\"title\": \"Quadratic string concatentation in consumeComment in net/mail\", \"credits\": [{\"lang\": \"en\", \"value\": \"thatnealpatel\"}], \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"net/mail\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.25.10\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.26.0-0\", \"lessThan\": \"1.26.3\", \"versionType\": \"semver\"}], \"packageName\": \"net/mail\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"addrParser.consumeComment\"}, {\"name\": \"AddressParser.Parse\"}, {\"name\": \"AddressParser.ParseList\"}, {\"name\": \"Header.AddressList\"}, {\"name\": \"Header.Date\"}, {\"name\": \"ParseAddress\"}, {\"name\": \"ParseAddressList\"}, {\"name\": \"ParseDate\"}]}], \"references\": [{\"url\": \"https://go.dev/issue/78566\"}, {\"url\": \"https://go.dev/cl/759940\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/qcCIEXso47M\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2026-4986\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-407: Inefficient Algorithmic Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2026-05-07T19:41:19.854Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-39820\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-08T14:27:54.923Z\", \"dateReserved\": \"2026-04-07T18:13:03.526Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2026-05-07T19:41:19.854Z\", \"assignerShortName\": \"Go\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.