CVE-2026-42504: Quadratic complexity in WordDecoder.DecodeHeader in mime
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 1.25.11
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a denial-of-service vulnerability caused by quadratic CPU complexity in the Go standard library's mime package, specifically in the WordDecoder.DecodeHeader function. The flaw is reachable over the network with no authentication required, and it is triggered by supplying a MIME header containing many invalid encoded-words. Successful exploitation causes the affected service to consume excessive CPU, stalling or crashing it. Patched-image rebuilds at Go 1.25.11 and 1.26.4 are available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle an affected Go standard library version.
AvailableHarborGuard scores this CVE at CVSS 7.5 (HIGH) and weights it against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within the customer org based on policy configuration.
AvailablePatched-image rebuilds at Go 1.25.11 (for the 1.25.x line) and 1.26.4 (for the 1.26.x line) become available on HarborGuard for any image found to carry an affected Go version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable code path is exposed over the network; an attacker must be able to send a crafted HTTP or other protocol request containing MIME headers to the target service.
- AuthenticationNot required
No credentials or session token are needed; any unauthenticated request carrying a malformed MIME header is sufficient to trigger the vulnerability.
- Victim interactionNot required
The attacker does not need a victim to take any action; sending the malicious request directly to the service is enough.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race condition, memory layout dependency, or special environmental state is required to trigger the quadratic CPU consumption.
Blast Radius
- The targeted service consumes excessive CPU processing the malformed MIME header, causing severe throughput degradation or a full service hang.
- Other workloads sharing the same host or container resources experience starvation as CPU is monopolized by the runaway decode loop.
- Availability of any application built on Go's standard mime package is disrupted for the duration of the attack, with no data disclosure or data modification occurring.
How HarborGuard Handles This
Available on HarborGuard: any image containing a Go toolchain or runtime in the affected version ranges (Go below 1.25.11 or 1.26.x below 1.26.4) is flagged automatically within minutes of the CVE entering upstream feeds. Where compliance policy permits, HarborGuard can rebuild the image at the fixed Go version, run the configured regression suite, and open a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For teams not yet on auto-remediation, HarborGuard surfaces the finding with fix-version guidance so engineers can prioritize the rebuild manually. As a compensating control until the rebuild is applied, consider placing network policy rules in front of any service that processes untrusted MIME headers to restrict the sources of inbound requests and reduce exposure to crafted payloads.
Fix available
- Go standard library / mime< 1.25.11 (from 0) · < 1.26.4 (from 1.26.0-0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H