{"id":"GO-2026-4981","summary":"Crash when handling long CNAME response in net","details":"When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.","aliases":["BIT-golang-2026-33811","CVE-2026-33811"],"modified":"2026-05-11T08:11:09.084571258Z","published":"2026-05-07T19:21:40Z","related":["CGA-xr8m-473w-fvfq"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4981"},"references":[{"type":"REPORT","url":"https://go.dev/issue/78803"},{"type":"FIX","url":"https://go.dev/cl/767860"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/qcCIEXso47M"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.25.10"},{"introduced":"1.26.0-0"},{"fixed":"1.26.3"}]}],"ecosystem_specific":{"imports":[{"path":"net","symbols":["LookupCNAME","Resolver.LookupCNAME","cgoResSearch"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4981.json"}}],"schema_version":"1.7.5","credits":[{"name":"hamayanhamayan"}]}