Go's net/mail Package Vulnerable to Quadratic Complexity DoS via Malformed Email Comments

A denial-of-service vulnerability has been identified in Go's `net/mail` package, allowing remote attackers to trigger O(n²) string concatenation through specially crafted email headers. The flaw, cataloged as CVE-2026-39820 (GO-2026-4986), exploits the `consumeComment` function when processing email messages with deeply nested comments. An attacker can cause the parser to degrade significantly by sending a malformed header, rendering the affected service unresponsive.

The vulnerability stems from quadratic behavior in string concatenation operations during comment parsing. When the `net/mail` package processes an email header containing a deeply nested comment structure, the algorithm performs repeated string allocations and copies that scale polynomially with input size. This contrasts with expected linear-time parsing behavior, creating a amplification vector that a malicious actor can leverage remotely.

The issue affects Go version 1.26.2. The Go security team has already released a fix in Go 1.26.3, with the update documented in Go issue #1101. Organizations running applications that parse external email input through the `net/mail` package should verify their Go version and apply the security patch as a priority. Services handling untrusted or external email content face elevated exposure, particularly mail transfer agents, email gateways, and any application performing automated header analysis. Maintaining awareness of Go runtime dependencies and their update cycles remains critical for systems security hygiene.