๐Ÿ” CVE Alert

CVE-2026-42504

HIGH 7.5

Quadratic complexity in WordDecoder.DecodeHeader in mime

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
5th

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Vendor go standard library
Product mime
Published Jun 2, 2026
Last Updated Jun 3, 2026
Stay Ahead of the Next One

Get instant alerts for go standard library mime

Be the first to know when new high vulnerabilities affecting go standard library mime are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Go standard library / mime
0 < 1.25.11 1.26.0-0 < 1.26.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
go.dev: https://go.dev/issue/79217 go.dev: https://go.dev/cl/774481 groups.google.com: https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-5038

Credits

p4p3r (https://hackerone.com/p4p3r_hak)