Vulnerability Report: GO-2026-4971
standard library- CVE-2026-39836
- Affects: net
- Published: May 07, 2026
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
Affected Packages
-
PathGo VersionsSymbols
-
before go1.25.10, from go1.26.0-0 before go1.26.3
31 affected symbols
- Dial
- DialTimeout
- Dialer.Dial
- Dialer.DialContext
- Listen
- ListenConfig.Listen
- ListenConfig.ListenPacket
- ListenPacket
- LookupAddr
- LookupCNAME
- LookupHost
- LookupIP
- LookupMX
- LookupNS
- LookupPort
- LookupSRV
- LookupTXT
- ResolveIPAddr
- ResolveTCPAddr
- ResolveUDPAddr
- Resolver.LookupAddr
- Resolver.LookupCNAME
- Resolver.LookupHost
- Resolver.LookupIP
- Resolver.LookupIPAddr
- Resolver.LookupMX
- Resolver.LookupNS
- Resolver.LookupNetIP
- Resolver.LookupPort
- Resolver.LookupSRV
- Resolver.LookupTXT
Aliases
References
- https://go.dev/issue/79006
- https://groups.google.com/g/golang-announce/c/qcCIEXso47M
- https://go.dev/cl/775320
- https://vuln.go.dev/ID/GO-2026-4971.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.