CVE-2026-39836
published 2026-05-07CVE-2026-39836: The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.59%
43.7th percentile
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| go_standard_library | net | < 1.25.10 | 1.25.10 |
| go_standard_library | net | >= 1.26.0-0 < 1.26.3 | 1.26.3 |
| golang | go | < 1.25.10 | 1.25.10 |
| golang | go | >= 1.26.0 < 1.26.3 | 1.26.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8g2r-hhvj-mv99: The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0)
ghsa_unreviewed·2026-05-07
CVE-2026-39836 [HIGH] GHSA-8g2r-hhvj-mv99: The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0)
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
VulDB
net up to 1.25.9/1.26.2 on Go Dial/LookupPort uncaught exception (EUVD-2026-28427)
vuldb·2026-05-07
CVE-2026-39836 [LOW] net up to 1.25.9/1.26.2 on Go Dial/LookupPort uncaught exception (EUVD-2026-28427)
A vulnerability described as problematic has been identified in net up to 1.25.9/1.26.2 on Go. Affected is the function Dial/LookupPort. Executing a manipulation can lead to uncaught exception.
The identification of this vulnerability is CVE-2026-39836. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
2026-05-07
Published