VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 2, 2026

CVE-2026-42504

CVE-2026-42504

Description

Go's MIME decoder has quadratic complexity when decoding invalid encoded-words, leading to excessive CPU consumption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Go's MIME decoder has quadratic complexity when decoding invalid encoded-words, leading to excessive CPU consumption.

Vulnerability

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. This vulnerability exists in the mime package's WordDecoder.DecodeHeader function. The issue arises when the decoder attempts to process invalid encoded-word content, leading to quadratic complexity in certain scenarios. Affected versions include Go prior to 1.26.4 and 1.25.11 [1, 3].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted MIME header containing numerous invalid encoded-words to a Go application that processes such headers. The excessive CPU consumption occurs when the WordDecoder.DecodeHeader function repeatedly attempts to decode these malformed inputs, particularly those with many =?x?y? prefixes followed by a single terminal ?= [3].

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service (DoS) condition due to excessive CPU consumption. This can render the affected Go application unresponsive or unavailable to legitimate users. The impact is limited to resource exhaustion and does not appear to grant unauthorized access or data modification capabilities.

Mitigation

Go versions 1.26.4 and 1.25.11 have been released to address this vulnerability. Users are advised to update to these versions or later. The specific release date for these versions was June 2, 2026 [1]. No workarounds are mentioned in the available references.

References
  1. [security] Go 1.26.4 and Go 1.25.11 are released
  2. mime: quadratic complexity in WordDecoder.DecodeHeader

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
f230dd8a1d0a

mime: avoid quadratic complexity in WordDecoder.DecodeHeader

https://github.com/golang/goDamien NeilMay 5, 2026via github-commit-search
commit
2 files changed · +6 2
  • src/mime/encodedword.go+2 2 modified
    @@ -275,8 +275,8 @@ func (d *WordDecoder) DecodeHeader(header string) (string, error) {
 		content, err := decode(encoding, text)
 		if err != nil {
 			betweenWords = false
-			buf.WriteString(header[:start+2])
-			header = header[start+2:]
+			buf.WriteString(header[:end])
+			header = header[end:]
 			continue
 		}
  • src/mime/encodedword_test.go+4 0 modified
    @@ -140,6 +140,10 @@ func TestDecodeHeader(t *testing.T) {
 		{"=?ISO-8859-1?Q?a?=  =?ISO-8859-1?Q?b?=", "ab"},
 		{"=?ISO-8859-1?Q?a?= \r\n\t =?ISO-8859-1?Q?b?=", "ab"},
 		{"=?ISO-8859-1?Q?a_b?=", "a b"},
+		// Undecodable words
+		{"=?UTF-8?b?garbage?= =?UTF-8?b?QW5kcsOp?= =?UTF-8?b?garbage?=", "=?UTF-8?b?garbage?= André =?UTF-8?b?garbage?="},
+		{"=?UTF-8?b?QW5kcsOp", "=?UTF-8?b?QW5kcsOp"},
+		{"=?UTF-8?x?y?=?UTF-8?x?y=?", "=?UTF-8?x?y?=?UTF-8?x?y=?"},
 	}
 
 	for _, test := range tests {

Vulnerability mechanics

Root cause

"The MIME header decoding logic can enter a quadratic complexity loop when encountering invalid encoded-words."

Attack vector

An attacker can trigger this vulnerability by sending a maliciously-crafted MIME header containing many invalid encoded-words. The excessive CPU consumption occurs during the decoding process of these malformed headers. This can lead to a denial-of-service condition where the application becomes unresponsive due to the high CPU load.

Affected code

The vulnerability exists in the `src/mime/encodedword.go` file within the `WordDecoder.DecodeHeader` function. The patch specifically targets the logic that handles undecodable encoded-words, modifying how the header string is processed after an error is detected.

What the fix does

The patch modifies the `WordDecoder.DecodeHeader` function to avoid quadratic complexity. When an undecodable encoded-word is encountered, the decoder now skips over the entire word instead of just the initial "=?". This change prevents the decoder from repeatedly processing the same invalid parts of the header, thus mitigating the excessive CPU consumption.

Preconditions

  • inputThe input must be a MIME header containing one or more invalid encoded-words.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.