← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-42504 · Disclosed 2026-06-02

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a mailroom scanner that bogs down on a stack of fake postage labels

CVE-2026-42504 is an algorithmic-complexity denial-of-service bug in Go's standard-library mime.WordDecoder.DecodeHeader, which decodes RFC 2047 MIME encoded-words in headers. A malicious header packed with many invalid encoded-words can force disproportionate CPU work because the pre-fix logic only skipped the opening =? on decode failure instead of advancing past the whole bad word. Upstream Go shipped fixes in go1.25.11 and go1.26.4 on **2026-06-02`; older or downstream builds may still be vulnerable unless the fix was backported.

There is no vendor CVSS baseline here, but reality does not support a panic-grade score. This is availability-only, requires attacker-controlled data to reach a fairly specific MIME-header decode path, and most Go services never touch that code at all. The places that should care are mail ingestion, IMAP/POP processing, MIME-heavy APIs, and any custom parser that feeds untrusted headers into mime.WordDecoder.

"ASSESSED AT MEDIUM: real CPU-burn bug, but only where untrusted MIME headers hit a narrow Go parser path"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a header stuffed with invalid encoded-words

The attacker sends email or other MIME-bearing input containing a long header with many malformed RFC 2047 encoded-words like repeated =?...?= fragments that fail decode. No memory corruption or auth bypass is needed; the payload is just syntactically nasty enough to keep the decoder revisiting the same region inefficiently. Public patch material shows the fix was to skip the full bad word, which strongly indicates the old path could be driven into repeated work.
Conditions required:
  • Attacker can supply untrusted MIME headers to the target workflow
  • The application preserves and parses those headers rather than rejecting them earlier
Where this breaks in practice:
  • Many enterprise Go services never parse MIME headers at all
  • MTAs, API gateways, or validation layers may cap header size or reject malformed input before Go sees it
Detection/coverage: Network scanners will not see this directly. Look for malformed encoded-word bursts in inbound headers and CPU spikes on parsing workers.
STEP 02

Reach mime.WordDecoder.DecodeHeader

The vulnerable code path matters more than the existence of Go itself. The attacker only wins if the target application or dependency actually calls mime.WordDecoder.DecodeHeader while handling the hostile input, whether through mail processing, MIME parsing, or custom code using the standard library package.
Conditions required:
  • Application code or a dependency uses mime.WordDecoder.DecodeHeader on attacker-controlled data
  • The parsing happens synchronously in a request, job, or mail-processing path
Where this breaks in practice:
  • A large share of Go binaries do not import or exercise this function
  • Some applications parse headers with alternate libraries or sanitize input before decode
Detection/coverage: SCA can identify vulnerable Go toolchains, but it cannot prove reachability. govulncheck, SBOMs, and source grep help on build systems; runtime profilers help confirm execution.
STEP 03

Burn CPU in the decoder

On each undecodable word, the old logic advanced too little, letting a crafted header trigger repeated scanning work and excessive CPU time. The patch replaces header[start+2:] handling with advancing to the computed end of the bad word, cutting off the non-linear behavior. In practice this becomes a per-request or per-message CPU amplification bug, not a takeover primitive.
Conditions required:
  • The vulnerable function runs on sufficiently large or repeated malformed headers
  • The service lacks tight per-request CPU/time limits
Where this breaks in practice:
  • Process supervisors, timeouts, worker pools, and autoscaling can blunt single-message impact
  • Header-size limits reduce how much amplification an attacker gets
Detection/coverage: Profiling should show hot time in mime.(*WordDecoder).DecodeHeader or nearby string scanning. Application APM may surface slow mail/header parse operations.
STEP 04

Cause service degradation, not compromise

The end state is queue backup, worker starvation, latency blowout, or pod/process churn if enough requests or messages are delivered. There is no evidence this yields code execution, data exposure, or privilege gain. Blast radius is therefore bounded to the parsing service and whatever depends on its throughput.
Conditions required:
  • Attacker can repeat the input often enough to outpace available worker capacity
  • The affected parser sits on a business-critical path
Where this breaks in practice:
  • Mail queues, backpressure, and async processing can isolate the damage
  • Multi-tier environments often contain the failure to a single service pool
Detection/coverage: Watch for elevated CPU, worker saturation, retry storms, and mail/job backlog growth rather than classic exploit telemetry.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo evidence found of active exploitation, and not listed in CISA KEV as of 2026-06-02.
Public exploit / PoCNo weaponized PoC repo found in primary sources. The public patch and code-review trail are enough for a competent attacker to reproduce the issue.
EPSSNo EPSS value was found in authoritative sources reviewed; treat predictive exploitation data as not yet available.
KEV statusNot KEV-listed; CISA's catalog is the authoritative exploitation tracker and does not show this CVE.
CVSS / vectorNo vendor or authority CVSS was published. Practically this is network-reachable availability impact only where untrusted MIME headers reach the vulnerable decoder.
Affected versionsUpstream supported branches were fixed in go1.25.11 and go1.26.4, so upstream releases before those points on the 1.25 and 1.26 branches are affected. Older/EOL branches may also contain the bug, but upstream did not publish fresh fixes for unsupported lines.
Fixed versionsUpstream fixes shipped in Go 1.25.11 and Go 1.26.4 on 2026-06-02. Downstreams can and do backport: Yocto/OpenEmbedded shows a backport into its go-1.22.12 recipe.
Exposure / internet scanningThis is not directly fingerprintable on Shodan/Censys/FOFA because the vulnerable surface is a library function, not a standalone network daemon. Exposure is determined by application behavior, especially mail/MIME parsing paths.
Disclosure timelinePatch authored 2026-05-05, downstream Yocto backport posted 2026-05-21, upstream fixed releases landed 2026-06-02, matching the disclosure date provided.
Reporter / creditNo public reporter credit was visible in the release-history, code-review, or backport artifacts reviewed.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to MEDIUM (5.6/10)

The deciding factor is reachability: an attacker must get a malicious MIME header into a code path that actually calls mime.WordDecoder.DecodeHeader, and that sharply narrows the exposed population compared with a typical Go deployment. The impact is also strictly availability-focused—CPU burn and service slowdown—without evidence of code execution, data theft, or privilege gain.

HIGH Affected upstream fixed versions (`go1.25.11` / `go1.26.4`) and technical root cause
MEDIUM Real-world exposed population, because usage of `mime.WordDecoder.DecodeHeader` is app-specific
MEDIUM Lack of active exploitation evidence as of 2026-06-02

Why this verdict

  • Started at a midrange DoS baseline because this is a remotely triggerable parser bug in the Go standard library, but it is availability-only and has no confidentiality or integrity impact.
  • Exposure drops hard after the first prerequisite: the attacker needs untrusted MIME headers to reach mime.WordDecoder.DecodeHeader, which implies mail/MIME parsing or equivalent application logic rather than generic Go service exposure.
  • Blast radius stays local to the parsing workload: the realistic outcome is worker saturation, backlog, or latency spikes, not tenant escape, credential theft, or code execution.

Why not higher?

There is no published evidence of exploitation, no KEV listing, and no sign this crosses over into memory corruption or control-flow hijack. Even in exposed environments, the attacker still needs a fairly specific parser path rather than merely reaching a TCP listener on any Go service.

Why not lower?

The bug is in the standard library, so the affected code is trustworthy-looking and can sit invisibly inside production mail or MIME workflows. If an internet-facing mail/API edge does parse attacker-controlled headers, exploitation is low-complexity and can translate directly into operational pain through CPU exhaustion.

05 · Compensating Control

What to do — in priority order.

  1. Cap header size and header count — Reject or truncate oversized MIME headers before they reach Go parsing code. For a MEDIUM verdict there is no mitigation SLA—apply this as normal hardening while you work toward the 365-day remediation window, prioritizing internet-facing mail and ingestion tiers first.
  2. Rate-limit untrusted mail and MIME ingestion — Throttle SMTP/API submitters, batch parsers, and queue consumers so a single sender cannot monopolize parser CPU. There is no mitigation SLA for this severity, but it is the best temporary brake if rebuilding affected services will take time.
  3. Isolate parsing workers — Put MIME decoding in bounded worker pools with CPU/time limits, queue depth alerts, and failure isolation so a bad message burns one worker instead of the whole service. With a MEDIUM rating, do this through standard engineering change windows rather than emergency change control.
  4. Rebuild and redeploy with fixed Go releases — For Go stdlib CVEs, patching the toolchain alone is not enough if your production binaries were already built with the vulnerable stdlib. Rebuild applications that parse untrusted MIME headers using Go 1.25.11, Go 1.26.4, or a confirmed downstream backport, inside the remediation window.
What doesn't work
  • A WAF alone does not solve this when the vulnerable path is mail ingestion, internal queue processing, or non-HTTP MIME handling.
  • Network segmentation alone is weak protection because the hostile content can arrive through legitimate mail relays or application submission paths you already allow.
  • EDR is not preventative here; at best it tells you a process is hot after the CPU has already been burned.
06 · Verification

Crowdsourced verification payload.

Run this on a build host, CI runner, or on a server that has either the Go toolchain or a target Go binary available. Invoke it as ./check-cve-2026-42504.sh to assess the installed toolchain, or ./check-cve-2026-42504.sh /path/to/binary to inspect a deployed Go executable via go version -m; no root is required, only read access to the toolchain or binary. This script is conservative: upstream version matches return VULNERABLE/PATCHED; older or distro-backported builds that cannot be proven one way or the other return UNKNOWN unless the patched source is visible.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-cve-2026-42504.sh
# Determine likely exposure to CVE-2026-42504 in Go stdlib mime.WordDecoder.DecodeHeader.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

status="UNKNOWN"
reason=""

ver_ge() {
  # Compare semantic versions like 1.25.11 >= 1.25.9
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" = "$1" ]
}

ver_lt() {
  ! ver_ge "$1" "$2"
}

extract_go_version() {
  local target="${1:-}"
  local out ver

  if [ -n "$target" ]; then
    if ! command -v go >/dev/null 2>&1; then
      echo ""
      return 0
    fi
    out="$(go version -m "$target" 2>/dev/null | head -n1 || true)"
    ver="$(printf '%s' "$out" | grep -Eo 'go[0-9]+\.[0-9]+(\.[0-9]+)?' | head -n1 | sed 's/^go//')"
    printf '%s' "$ver"
    return 0
  fi

  if command -v go >/dev/null 2>&1; then
    out="$(go version 2>/dev/null || true)"
    ver="$(printf '%s' "$out" | grep -Eo 'go[0-9]+\.[0-9]+(\.[0-9]+)?' | head -n1 | sed 's/^go//')"
    printf '%s' "$ver"
    return 0
  fi

  echo ""
}

source_has_fix() {
  local goroot file
  goroot="${GOROOT:-}"
  if [ -z "$goroot" ] && command -v go >/dev/null 2>&1; then
    goroot="$(go env GOROOT 2>/dev/null || true)"
  fi
  file="$goroot/src/mime/encodedword.go"

  [ -f "$file" ] || return 1
  grep -Fq 'buf.WriteString(header[:end])' "$file" && grep -Fq 'header = header[end:]' "$file"
}

classify_version() {
  local v="$1"

  if [ -z "$v" ]; then
    status="UNKNOWN"
    reason="Could not determine Go version."
    return
  fi

  case "$v" in
    1.26.*)
      if ver_lt "$v" "1.26.4"; then
        status="VULNERABLE"
        reason="Upstream 1.26 branch is fixed in 1.26.4; found $v."
      else
        status="PATCHED"
        reason="Upstream 1.26 branch fixed in 1.26.4; found $v."
      fi
      ;;
    1.25.*)
      if ver_lt "$v" "1.25.11"; then
        status="VULNERABLE"
        reason="Upstream 1.25 branch is fixed in 1.25.11; found $v."
      else
        status="PATCHED"
        reason="Upstream 1.25 branch fixed in 1.25.11; found $v."
      fi
      ;;
    *)
      if source_has_fix; then
        status="PATCHED"
        reason="Installed source tree contains the backported fix in mime/encodedword.go."
      else
        status="UNKNOWN"
        reason="Version $v is not on an upstream fixed branch we can classify confidently, and no visible source backport was confirmed."
      fi
      ;;
  esac
}

target="${1:-}"
if [ -n "$target" ] && [ ! -r "$target" ]; then
  echo "UNKNOWN - Cannot read target: $target"
  exit 2
fi

version="$(extract_go_version "$target")"
classify_version "$version"

echo "$status - $reason"

case "$status" in
  PATCHED) exit 0 ;;
  VULNERABLE) exit 1 ;;
  *) exit 2 ;;
esac
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do an inventory pass for Go services that parse untrusted email or MIME headers and separate them from the much larger set of Go binaries that are irrelevant here. For a MEDIUM verdict, the noisgate mitigation SLA is no mitigation SLA — go straight to the 365-day remediation window; use that time to confirm which apps actually hit mime.WordDecoder.DecodeHeader, then rebuild and redeploy those services with Go 1.25.11, Go 1.26.4, or a verified downstream backport under the noisgate remediation SLA of ≤365 days.

Sources

  1. Go release history
  2. Go standard library source for `mime/encodedword.go`
  3. Go code review listing showing release-branch fixes
  4. Go release dashboard showing `mime` fix landing on supported branches
  5. Go standard library package index showing published fixed stdlib version
  6. Go `mime` package documentation
  7. Yocto/OpenEmbedded backport for CVE-2026-42504
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.