CVE-2026-39820

Daily digests

Go's net/mail package has a quadratic blowup when parsing comments in email headers. An attacker can send a crafted email header that causes the parser to burn CPU for a very long time, effectively denying service to any Go application that parses mail. This affects Go itself plus anything built with it, including GCC's Go toolchain on the affected systems.

• Patch Tuesday · May 13, 2026

  Patch Tuesday May 2026: DNS + Netlogon at 9.8, 19 more