Golang's net/textproto and x509 Packages Hit by Three CVEs on June 2nd
Key findings • Three Go standard library vulnerabilities disclosed on June 2nd, 2026. • CVE-2026-42504 (High) allows excessive CPU consumption via crafted MIME headers. • CVE-2026-42507 (…
Key findings
- Three Go standard library vulnerabilities disclosed on June 2nd, 2026.
- CVE-2026-42504 (High) allows excessive CPU consumption via crafted MIME headers.
- CVE-2026-42507 (Medium) permits misleading content injection into errors.
- CVE-2026-27145 (Medium) causes performance issues in x509 certificate hostname verification.
- Vulnerabilities affect net/textproto and crypto/x509 packages.
On June 2nd, 2026, a cluster of three vulnerabilities impacting the Go programming language's standard library was disclosed. These issues affect the net/textproto and crypto/x509 packages, with one vulnerability rated as High severity and two as Medium.
The most critical of these, CVE-2026-42504, is a High severity vulnerability stemming from the handling of maliciously-crafted MIME headers. When these headers contain numerous invalid encoded-words, the decoding process can consume excessive CPU resources, potentially leading to denial-of-service conditions. This type of vulnerability can be exploited by sending specially crafted email or other MIME-encoded data to an application that uses Go's MIME parsing capabilities.
Another vulnerability, CVE-2026-42507, also impacts the net/textproto package. This Medium severity issue arises when the package returns errors. In certain error scenarios, the function would inadvertently include its input as part of the error message. This could allow an attacker to inject misleading or malicious content into error messages that are subsequently printed or logged by an application. Developers relying on logging or user-facing error messages from this package should be aware of the potential for data leakage or manipulation.
The third disclosed vulnerability, CVE-2026-27145, affects the crypto/x509 package and is rated Medium severity. Previously, the (*x509.Certificate).VerifyHostname function would repeatedly call matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This led to strings.Split(host, '.') being executed numerous times on the same hostname. For certificates with a large number of SAN entries, this could result in quadratic scaling of verification costs, potentially leading to performance degradation or denial-of-service when validating a large number of certificates.
All three vulnerabilities were disclosed on the same day, indicating a coordinated disclosure event. While no specific threat actors or active exploitation campaigns were mentioned in the initial disclosures, the nature of these vulnerabilities suggests potential impacts ranging from denial-of-service to information disclosure and error manipulation. Developers using affected versions of Go should prioritize updating to patched versions to mitigate these risks.
Users of the Go programming language are advised to update their toolchains to versions that include fixes for these issues. The specific versions that address these vulnerabilities are typically detailed in the official Go security advisories. Given the range of impacts, from performance degradation to potential error injection and CPU exhaustion, applying these patches is crucial for maintaining the security and stability of applications built with Go.