{"id":"GO-2026-4342","summary":"Excessive CPU consumption when building archive index in archive/zip","details":"archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.","aliases":["BIT-golang-2025-61728","CVE-2025-61728"],"modified":"2026-04-04T10:29:23.020657707Z","published":"2026-01-28T19:08:28Z","related":["CGA-mmfw-mpcj-7qfm","RHSA-2026:2706","RHSA-2026:2708","RHSA-2026:2709","RHSA-2026:2914","RHSA-2026:2920","RHSA-2026:3188","RHSA-2026:3192","RHSA-2026:3193","RHSA-2026:3336","RHSA-2026:3337","RHSA-2026:3469","RHSA-2026:3471","RHSA-2026:3472","RHSA-2026:3473","RHSA-2026:3489","RHSA-2026:3752","RHSA-2026:3753","RHSA-2026:3831","RHSA-2026:3833","RHSA-2026:3835","RHSA-2026:3836","RHSA-2026:3838","RHSA-2026:3851","RHSA-2026:3854","RHSA-2026:3880","RHSA-2026:4672"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4342","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/736713"},{"type":"REPORT","url":"https://go.dev/issue/77102"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.24.12"},{"introduced":"1.25.0"},{"fixed":"1.25.6"}]}],"ecosystem_specific":{"imports":[{"path":"archive/zip","symbols":["Reader.Open","Reader.initFileList"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4342.json"}}],"schema_version":"1.7.5","credits":[{"name":"Jakub Ciolek"}]}