{"id":"GO-2026-4986","summary":"Quadratic string concatentation in consumeComment in net/mail","details":"Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.","aliases":["BIT-golang-2026-39820","CVE-2026-39820"],"modified":"2026-05-11T08:11:18.687307707Z","published":"2026-05-07T19:21:40Z","related":["CGA-h3rh-hg4q-4x4p"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4986","review_status":"REVIEWED"},"references":[{"type":"REPORT","url":"https://go.dev/issue/78566"},{"type":"FIX","url":"https://go.dev/cl/759940"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/qcCIEXso47M"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.25.10"},{"introduced":"1.26.0-0"},{"fixed":"1.26.3"}]}],"ecosystem_specific":{"imports":[{"path":"net/mail","symbols":["AddressParser.Parse","AddressParser.ParseList","Header.AddressList","Header.Date","ParseAddress","ParseAddressList","ParseDate","addrParser.consumeComment"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4986.json"}}],"schema_version":"1.7.5","credits":[{"name":"thatnealpatel"}]}