data/reports: add go1.26.4, go1.25.11 vuln reports Fixes golang/vulndb#5037 Fixes golang/vulndb#5038 Fixes golang/vulndb#5039 Change-Id: I8c5c60fbffb8e14cd0cb43df8d647e3690d25f09 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/786181 Reviewed-by: Nicholas Husin <husin@google.com> Auto-Submit: Neal Patel <nealpatel@google.com> Reviewed-by: Nicholas Husin <nsh@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/cve/v5/GO-2026-5037.json b/data/cve/v5/GO-2026-5037.json new file mode 100644 index 0000000..f3b304a --- /dev/null +++ b/data/cve/v5/GO-2026-5037.json
@@ -0,0 +1,88 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "cveId": "CVE-2026-27145" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc" + }, + "title": "Inefficient candidate hostname parsing in crypto/x509", + "descriptions": [ + { + "lang": "en", + "value": "(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, \".\") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates." + } + ], + "affected": [ + { + "vendor": "Go standard library", + "product": "crypto/x509", + "collectionURL": "https://pkg.go.dev", + "packageName": "crypto/x509", + "versions": [ + { + "version": "0", + "lessThan": "1.25.11", + "status": "affected", + "versionType": "semver" + }, + { + "version": "1.26.0-0", + "lessThan": "1.26.4", + "status": "affected", + "versionType": "semver" + } + ], + "programRoutines": [ + { + "name": "HostnameError.Error" + }, + { + "name": "matchHostnames" + }, + { + "name": "Certificate.Verify" + }, + { + "name": "Certificate.VerifyHostname" + } + ], + "defaultStatus": "unaffected" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-407: Inefficient Algorithmic Complexity" + } + ] + } + ], + "references": [ + { + "url": "https://go.dev/cl/783621" + }, + { + "url": "https://go.dev/issue/79694" + }, + { + "url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2026-5037" + } + ], + "credits": [ + { + "lang": "en", + "value": "Jakub Ciolek - https://ciolek.dev/" + } + ] + } + } +} \ No newline at end of file
diff --git a/data/cve/v5/GO-2026-5038.json b/data/cve/v5/GO-2026-5038.json new file mode 100644 index 0000000..7c8306a --- /dev/null +++ b/data/cve/v5/GO-2026-5038.json
@@ -0,0 +1,79 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "cveId": "CVE-2026-42504" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc" + }, + "title": "Quadratic complexity in WordDecoder.DecodeHeader in mime", + "descriptions": [ + { + "lang": "en", + "value": "Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU." + } + ], + "affected": [ + { + "vendor": "Go standard library", + "product": "mime", + "collectionURL": "https://pkg.go.dev", + "packageName": "mime", + "versions": [ + { + "version": "0", + "lessThan": "1.25.11", + "status": "affected", + "versionType": "semver" + }, + { + "version": "1.26.0-0", + "lessThan": "1.26.4", + "status": "affected", + "versionType": "semver" + } + ], + "programRoutines": [ + { + "name": "WordDecoder.DecodeHeader" + } + ], + "defaultStatus": "unaffected" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-407: Inefficient Algorithmic Complexity" + } + ] + } + ], + "references": [ + { + "url": "https://go.dev/issue/79217" + }, + { + "url": "https://go.dev/cl/774481" + }, + { + "url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2026-5038" + } + ], + "credits": [ + { + "lang": "en", + "value": "p4p3r (https://hackerone.com/p4p3r_hak) " + } + ] + } + } +} \ No newline at end of file
diff --git a/data/cve/v5/GO-2026-5039.json b/data/cve/v5/GO-2026-5039.json new file mode 100644 index 0000000..e3ad086 --- /dev/null +++ b/data/cve/v5/GO-2026-5039.json
@@ -0,0 +1,88 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "cveId": "CVE-2026-42507" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc" + }, + "title": "Arbitrary inputs are included in errors without any escaping in net/textproto", + "descriptions": [ + { + "lang": "en", + "value": "When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged." + } + ], + "affected": [ + { + "vendor": "Go standard library", + "product": "net/textproto", + "collectionURL": "https://pkg.go.dev", + "packageName": "net/textproto", + "versions": [ + { + "version": "0", + "lessThan": "1.25.11", + "status": "affected", + "versionType": "semver" + }, + { + "version": "1.26.0-0", + "lessThan": "1.26.4", + "status": "affected", + "versionType": "semver" + } + ], + "programRoutines": [ + { + "name": "parseCodeLine" + }, + { + "name": "Reader.ReadCodeLine" + }, + { + "name": "readMIMEHeader" + }, + { + "name": "Error.Error" + }, + { + "name": "Reader.ReadMIMEHeader" + }, + { + "name": "Reader.ReadResponse" + } + ], + "defaultStatus": "unaffected" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-532: Insertion of Sensitive Information into Log File" + } + ] + } + ], + "references": [ + { + "url": "https://go.dev/issue/79346" + }, + { + "url": "https://go.dev/cl/777060" + }, + { + "url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2026-5039" + } + ] + } + } +} \ No newline at end of file
diff --git a/data/osv/GO-2026-5037.json b/data/osv/GO-2026-5037.json new file mode 100644 index 0000000..60988a6 --- /dev/null +++ b/data/osv/GO-2026-5037.json
@@ -0,0 +1,74 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2026-5037", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2026-27145" + ], + "summary": "Inefficient candidate hostname parsing in crypto/x509", + "details": "(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, \".\") to execute repeatedly on the same input hostname.\n\nWith a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.11" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/x509", + "symbols": [ + "Certificate.Verify", + "Certificate.VerifyHostname", + "HostnameError.Error", + "matchHostnames" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/783621" + }, + { + "type": "REPORT", + "url": "https://go.dev/issue/79694" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw" + } + ], + "credits": [ + { + "name": "Jakub Ciolek - https://ciolek.dev/" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-5037", + "review_status": "REVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2026-5038.json b/data/osv/GO-2026-5038.json new file mode 100644 index 0000000..51f4353 --- /dev/null +++ b/data/osv/GO-2026-5038.json
@@ -0,0 +1,71 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2026-5038", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2026-42504" + ], + "summary": "Quadratic complexity in WordDecoder.DecodeHeader in mime", + "details": "Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.11" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "mime", + "symbols": [ + "WordDecoder.DecodeHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/79217" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/774481" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw" + } + ], + "credits": [ + { + "name": "p4p3r (https://hackerone.com/p4p3r_hak) " + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-5038", + "review_status": "REVIEWED" + } +} \ No newline at end of file
diff --git a/data/osv/GO-2026-5039.json b/data/osv/GO-2026-5039.json new file mode 100644 index 0000000..d5fc363 --- /dev/null +++ b/data/osv/GO-2026-5039.json
@@ -0,0 +1,71 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2026-5039", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2026-42507" + ], + "summary": "Arbitrary inputs are included in errors without any escaping in net/textproto", + "details": "When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.25.11" + }, + { + "introduced": "1.26.0-0" + }, + { + "fixed": "1.26.4" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "net/textproto", + "symbols": [ + "Error.Error", + "Reader.ReadCodeLine", + "Reader.ReadMIMEHeader", + "Reader.ReadResponse", + "parseCodeLine", + "readMIMEHeader" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/79346" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/777060" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2026-5039", + "review_status": "REVIEWED" + } +} \ No newline at end of file
diff --git a/data/reports/GO-2026-5037.yaml b/data/reports/GO-2026-5037.yaml new file mode 100644 index 0000000..56d8c2e --- /dev/null +++ b/data/reports/GO-2026-5037.yaml
@@ -0,0 +1,38 @@ +id: GO-2026-5037 +modules: + - module: std + versions: + - fixed: 1.25.11 + - introduced: 1.26.0-0 + - fixed: 1.26.4 + vulnerable_at: 1.26.3 + packages: + - package: crypto/x509 + symbols: + - HostnameError.Error + - matchHostnames + derived_symbols: + - Certificate.Verify + - Certificate.VerifyHostname +summary: Inefficient candidate hostname parsing in crypto/x509 +description: |- + (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop + over all DNS Subject Alternative Name (SAN) entries. This caused + strings.Split(host, ".") to execute repeatedly on the same input hostname. + + With a large DNS SAN list, verification costs scaled quadratically based on the + number of SAN entries multiplied by the hostname's label count. Because + x509.Verify validates hostnames before building the certificate chain, this + overhead occurred even for untrusted certificates. +credits: + - Jakub Ciolek - https://ciolek.dev/ +references: + - fix: https://go.dev/cl/783621 + - report: https://go.dev/issue/79694 + - web: https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw +cve_metadata: + id: CVE-2026-27145 + cwe: 'CWE-407: Inefficient Algorithmic Complexity' +source: + id: go-security-team +review_status: REVIEWED
diff --git a/data/reports/GO-2026-5038.yaml b/data/reports/GO-2026-5038.yaml new file mode 100644 index 0000000..a3ac3bd --- /dev/null +++ b/data/reports/GO-2026-5038.yaml
@@ -0,0 +1,28 @@ +id: GO-2026-5038 +modules: + - module: std + versions: + - fixed: 1.25.11 + - introduced: 1.26.0-0 + - fixed: 1.26.4 + vulnerable_at: 1.26.3 + packages: + - package: mime + symbols: + - WordDecoder.DecodeHeader +summary: Quadratic complexity in WordDecoder.DecodeHeader in mime +description: | + Decoding a maliciously-crafted MIME header containing many invalid + encoded-words can consume excessive CPU. +credits: + - 'p4p3r (https://hackerone.com/p4p3r_hak) ' +references: + - report: https://go.dev/issue/79217 + - fix: https://go.dev/cl/774481 + - web: https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw +cve_metadata: + id: CVE-2026-42504 + cwe: 'CWE-407: Inefficient Algorithmic Complexity' +source: + id: go-security-team +review_status: REVIEWED
diff --git a/data/reports/GO-2026-5039.yaml b/data/reports/GO-2026-5039.yaml new file mode 100644 index 0000000..469437f --- /dev/null +++ b/data/reports/GO-2026-5039.yaml
@@ -0,0 +1,33 @@ +id: GO-2026-5039 +modules: + - module: std + versions: + - fixed: 1.25.11 + - introduced: 1.26.0-0 + - fixed: 1.26.4 + vulnerable_at: 1.26.3 + packages: + - package: net/textproto + symbols: + - parseCodeLine + - Reader.ReadCodeLine + - readMIMEHeader + - Error.Error + derived_symbols: + - Reader.ReadMIMEHeader + - Reader.ReadResponse +summary: Arbitrary inputs are included in errors without any escaping in net/textproto +description: | + When returning errors, functions in the net/textproto package would + include its input as part of the error. This might allow an attacker + to inject misleading content to errors that are printed or logged. +references: + - report: https://go.dev/issue/79346 + - fix: https://go.dev/cl/777060 + - web: https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw +cve_metadata: + id: CVE-2026-42507 + cwe: 'CWE-532: Insertion of Sensitive Information into Log File' +source: + id: go-security-team +review_status: REVIEWED