net/mail: ParseAddress: quadratic complexity in consumeComment

[neild]

Well-crafted inputs reaching ParseAddress, ParseAddressList,
and ParseDate were able to trigger excessive CPU exhaustion
and memory allocations.

This is CVE-2026-39820 and Go issue https://go.dev/issue/78566.

---

This was a PUBLIC track issue, tracked in http://b/500346169.

[neild]

@gopherbot please open backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #78567 (for 1.25), #78568 (for 1.26).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/763558 mentions this issue: [release-branch.go1.25] net/mail: fix quadratic complexity in consumeComment

[gopherbot]

Change https://go.dev/cl/763800 mentions this issue: [release-branch.go1.26] net/mail: fix quadratic complexity in consumeComment

[gabyhelp]

Related Issues

• net/mail: excessive CPU consumption in ParseAddress (CVE-2025-61725) #75680 (closed)
• encoding/pem: quadratic complexity when parsing some invalid inputs (CVE-2025-61723) #75676 (closed)
• net/textproto: excessive CPU consumption in Reader.ReadResponse (CVE-2025-61724) #75716 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}