Go Standard Library net/mail Vulnerability: Quadratic Algorithm in consumePhrase Enables DoS via Malformed Headers

A critical algorithmic complexity flaw has been identified in Go's net/mail standard library package, exposing applications parsing email headers to potential denial-of-service attacks. The vulnerability, tracked as GO-2026-4977 (CVE-2026-42499), stems from quadratic O(n²) string concatenation behavior within the consumePhrase function when processing malformed header phrases.

The issue emerges specifically when net/mail encounters specifically crafted email header input. Instead of using efficient string building methods, the affected code path performs repeated string allocations and concatenations that scale quadratically with input length. An attacker capable of submitting or injecting malicious email headers can leverage this behavior to trigger excessive CPU consumption, effectively causing the parsing service to become unresponsive.

Go version 1.26.2, currently specified in vulnerable go.mod configurations, is confirmed affected. The vulnerability has been addressed in Go 1.26.3, and users of the net/mail package for email header parsing should immediately verify their Go toolchain version. The fix is available via standard Go update channels, and projects should audit any dependencies that bundle or transitively include affected Go standard library versions.

Organizations operating mail servers, email processing pipelines, or any service that deserializes untrusted email content through Go's net/mail should treat this as a priority security update. The simplicity of the attack vector—requiring only malformed header injection—lowers the barrier for exploitation in environments where email content originates from external sources.