CVE-2026-39820
published 2026-05-07CVE-2026-39820: Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.76%
50.5th percentile
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
Affected
101 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform | platform-operator-bundle | — | — |
| build-of-trustee | trustee-rhel9-operator | — | — |
| buildah_project | buildah | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-compliance-operator-bundle | — | — |
| compliance | openshift-security-profiles-rhel8-operator | — | — |
| confidential-compute-attestation-tech-preview | trustee-rhel9-operator | — | — |
| container-native-virtualization | kubevirt-apiserver-proxy-rhel9 | — | — |
| container-native-virtualization | virt-api-rhel9 | — | — |
| container-tools_rhel8 | buildah | — | — |
| container-tools_rhel8 | conmon | — | — |
| container-tools_rhel8 | podman | — | — |
| container-tools_rhel8 | skopeo | — | — |
| cryostat | cryostat-storage-rhel9 | — | — |
| custom-metrics-autoscaler | custom-metrics-autoscaler-rhel9 | — | — |
| devspaces | configbump-rhel9 | — | — |
| devspaces | traefik-rhel9 | — | — |
| devworkspace | devworkspace-rhel9-operator | — | — |
| external-secrets-operator | external-secrets-rhel9 | — | — |
| gatekeeper | gatekeeper-rhel9-operator | — | — |
| go-toolset_rhel8 | golang | — | — |
| go_standard_library | net_mail | < 1.25.10 | 1.25.10 |
| go_standard_library | net_mail | >= 1.26.0-0 < 1.26.3 | 1.26.3 |
| golang | go | < 1.25.10 | 1.25.10 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p9h5-jm8x-mjm5: Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations
ghsa_unreviewed·2026-05-07
CVE-2026-39820 [HIGH] GHSA-p9h5-jm8x-mjm5: Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
VulDB
net-mail up to 1.25.9/1.26.2 on Go algorithmic complexity (EUVD-2026-28423)
vuldb·2026-05-07
CVE-2026-39820 [LOW] net-mail up to 1.25.9/1.26.2 on Go algorithmic complexity (EUVD-2026-28423)
A vulnerability marked as problematic has been reported in net-mail up to 1.25.9/1.26.2 on Go. This impacts an unknown function. Performing a manipulation results in inefficient algorithmic complexity.
This vulnerability was named CVE-2026-39820. The attack may be initiated remotely. There is no available exploit.
It is suggested to upgrade the affected component.
Red Hat
net/mail: golang: Go net/mail: Denial of Service via crafted email inputs
vendor_redhat·2026-05-07·CVSS 7.5
CVE-2026-39820 [HIGH] CWE-606 net/mail: golang: Go net/mail: Denial of Service via crafted email inputs
net/mail: golang: Go net/mail: Denial of Service via crafted email inputs
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
A flaw was found in the `net/mail` package of the Go programming language. An attacker could provide specially crafted inputs to the `ParseAddress`, `ParseAddressList`, or `ParseDate` functions. This could lead to excessive consumption of CPU and memory resources, resulting in a Denial of Service (DoS) for applications processing these inputs.
Statement: This is an Important denial of service vulnerability in the Go `net/mail` package. Applications processing untrusted email inputs via `ParseAddress`, `ParseAddressList`, or `ParseDate` functions are susceptible to excessi
No detection rules found.
No public exploits indexed.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-39820 net/mail: golang: Go net/mail: Denial of Service via crafted email inputs
bugzilla·2026-05-07·CVSS 7.5
CVE-2026-39820 [HIGH] CVE-2026-39820 net/mail: golang: Go net/mail: Denial of Service via crafted email inputs
CVE-2026-39820 net/mail: golang: Go net/mail: Denial of Service via crafted email inputs
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:22120 https://access.redhat.com/errata/RHSA-2026:22120
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:22121 https://access.redhat.com/errata/RHSA-2026:22121
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2026:22112 https://access.redhat.com/errata/RHSA-2026:22112
https://go.dev/cl/759940https://go.dev/issue/78566https://groups.google.com/g/golang-announce/c/qcCIEXso47Mhttps://pkg.go.dev/vuln/GO-2026-4986https://access.redhat.com/errata/RHSA-2026:33120https://access.redhat.com/errata/RHSA-2026:33123https://access.redhat.com/errata/RHSA-2026:33142https://access.redhat.com/errata/RHSA-2026:33150https://access.redhat.com/security/cve/CVE-2026-39820https://bugzilla.redhat.com/show_bug.cgi?id=2467820https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39820.json
2026-05-07
Published