GO-2026-4981: Malicious DNS Servers Can Crash Go Applications via net Package CNAME Panic (CVE-2026-33811)

A vulnerability in Go's standard library net package allows a malicious DNS server to trigger a panic and crash any Go application that processes its responses. Tracked as CVE-2026-33811 and catalogued as GO-2026-4981, the flaw specifically targets CNAME record handling. When a DNS response contains a CNAME record exceeding expected length parameters, the net package fails to handle it gracefully, causing the application to terminate abruptly.

The issue affects Go 1.26.2, the version currently specified in affected go.mod files. The vulnerability is resolved in Go 1.26.3, which requires a go.mod bump as part of the fix. Exploitation requires an attacker to control or compromise a DNS server that a target application queries. Any Go application performing DNS lookups—including web servers, API backends, and microservices—is potentially exposed if it trusts responses from untrusted or partially trusted DNS infrastructure.

The net package is foundational to Go's networking stack and used extensively across the ecosystem, meaning the attack surface could be significant. The vulnerability has been assigned a dedicated entry in the Go vulnerability database with public tracking available. Organizations should audit Go-based services for vulnerable versions, prioritize patching for internet-facing applications, and consider the risk profile of DNS resolution paths in their infrastructure.