PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39820 Golang CVE debrief

CVE-2026-39820 is a high-severity vulnerability in the Go programming language, which can be exploited through well-crafted inputs to the ParseAddress, ParseAddressList, and ParseDate functions. This vulnerability leads to excessive CPU exhaustion and memory allocations, potentially causing denial-of-service (DoS) attacks. The vulnerability has a CVSS score of 7.5 and is considered HIGH severity. It affects Go versions prior to 1.25.11 and 1.26.4. The CVE was published on May 7, 2026, and modified on July 1, 2026.

Vendor
Golang
Product
Go
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-07
Original CVE updated
2026-07-01
Advisory published
2026-05-07
Advisory updated
2026-07-01

Who should care

Organizations and developers using the Go programming language should be aware of this vulnerability and take necessary actions to mitigate it. This includes reviewing their inventory of Go installations, updating to patched versions (1.25.11 or 1.26.4), and implementing compensating controls where immediate updates are not feasible. Red Hat users should check for errata updates specific to their systems.

Technical summary

The vulnerability is caused by insufficient input validation in the ParseAddress, ParseAddressList, and ParseDate functions in Go. An attacker can craft specific inputs to cause excessive CPU usage and memory allocations, leading to potential DoS conditions. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity. The weakness is primarily classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-606 (Untrappable Exception in Java).

Defensive priority

High priority should be given to updating Go installations to versions 1.25.11 or 1.26.4. In environments where immediate updates are not possible, defenders should monitor for unusual patterns of CPU and memory usage that could indicate exploitation attempts. Implementing rate limiting or input validation for these functions may serve as temporary mitigations.

Recommended defensive actions

  • Update Go to version 1.25.11 or 1.26.4
  • Review and update affected Red Hat systems using provided errata
  • Monitor system resources for unusual patterns
  • Implement input validation for ParseAddress, ParseAddressList, and ParseDate functions
  • Consider rate limiting for these functions as a temporary measure

Evidence notes

The CVE record and NVD detail provide comprehensive information about the vulnerability, including its CVSS score, affected versions, and references to patches and advisories. Vendor advisories and errata from Red Hat are also available, offering specific guidance for users of their platforms.

Official resources

This article is AI-assisted and based on the supplied source corpus.