Vulnerability-Lookup

OPENSUSE-SU-2026:10975-1

Vulnerability from csaf_opensuse - Published: 2026-06-08 00:00 - Updated: 2026-06-08 00:00

Summary

rclone-1.74.3-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: rclone-1.74.3-1.1 on GA media

Description of the patch: These are all security issues fixed in the rclone-1.74.3-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10975

CVE-2026-27145

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Affected products

Recommended 12 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-42504

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected products

Recommended 12 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-42507

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected products

Recommended 12 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-49980

Affected products

Recommended 12 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

14 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-27145/	self
https://www.suse.com/security/cve/CVE-2026-42504/	self
https://www.suse.com/security/cve/CVE-2026-42507/	self
https://www.suse.com/security/cve/CVE-2026-49980/	self
https://www.suse.com/security/cve/CVE-2026-27145	external
https://bugzilla.suse.com/1267450	external
https://www.suse.com/security/cve/CVE-2026-42504	external
https://bugzilla.suse.com/1267442	external
https://www.suse.com/security/cve/CVE-2026-42507	external
https://bugzilla.suse.com/1267444	external
https://www.suse.com/security/cve/CVE-2026-49980	external
https://bugzilla.suse.com/1267869	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "rclone-1.74.3-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the rclone-1.74.3-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10975",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10975-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27145 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27145/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-42504 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-42504/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-42507 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-42507/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-49980 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-49980/"
      }
    ],
    "title": "rclone-1.74.3-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-06-08T00:00:00Z",
      "generator": {
        "date": "2026-06-08T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10975-1",
      "initial_release_date": "2026-06-08T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-06-08T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rclone-1.74.3-1.1.aarch64",
                "product": {
                  "name": "rclone-1.74.3-1.1.aarch64",
                  "product_id": "rclone-1.74.3-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-bash-completion-1.74.3-1.1.aarch64",
                "product": {
                  "name": "rclone-bash-completion-1.74.3-1.1.aarch64",
                  "product_id": "rclone-bash-completion-1.74.3-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-zsh-completion-1.74.3-1.1.aarch64",
                "product": {
                  "name": "rclone-zsh-completion-1.74.3-1.1.aarch64",
                  "product_id": "rclone-zsh-completion-1.74.3-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rclone-1.74.3-1.1.ppc64le",
                "product": {
                  "name": "rclone-1.74.3-1.1.ppc64le",
                  "product_id": "rclone-1.74.3-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-bash-completion-1.74.3-1.1.ppc64le",
                "product": {
                  "name": "rclone-bash-completion-1.74.3-1.1.ppc64le",
                  "product_id": "rclone-bash-completion-1.74.3-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-zsh-completion-1.74.3-1.1.ppc64le",
                "product": {
                  "name": "rclone-zsh-completion-1.74.3-1.1.ppc64le",
                  "product_id": "rclone-zsh-completion-1.74.3-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rclone-1.74.3-1.1.s390x",
                "product": {
                  "name": "rclone-1.74.3-1.1.s390x",
                  "product_id": "rclone-1.74.3-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-bash-completion-1.74.3-1.1.s390x",
                "product": {
                  "name": "rclone-bash-completion-1.74.3-1.1.s390x",
                  "product_id": "rclone-bash-completion-1.74.3-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-zsh-completion-1.74.3-1.1.s390x",
                "product": {
                  "name": "rclone-zsh-completion-1.74.3-1.1.s390x",
                  "product_id": "rclone-zsh-completion-1.74.3-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rclone-1.74.3-1.1.x86_64",
                "product": {
                  "name": "rclone-1.74.3-1.1.x86_64",
                  "product_id": "rclone-1.74.3-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-bash-completion-1.74.3-1.1.x86_64",
                "product": {
                  "name": "rclone-bash-completion-1.74.3-1.1.x86_64",
                  "product_id": "rclone-bash-completion-1.74.3-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-zsh-completion-1.74.3-1.1.x86_64",
                "product": {
                  "name": "rclone-zsh-completion-1.74.3-1.1.x86_64",
                  "product_id": "rclone-zsh-completion-1.74.3-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-1.74.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64"
        },
        "product_reference": "rclone-1.74.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-1.74.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le"
        },
        "product_reference": "rclone-1.74.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-1.74.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x"
        },
        "product_reference": "rclone-1.74.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-1.74.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64"
        },
        "product_reference": "rclone-1.74.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-bash-completion-1.74.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64"
        },
        "product_reference": "rclone-bash-completion-1.74.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-bash-completion-1.74.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le"
        },
        "product_reference": "rclone-bash-completion-1.74.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-bash-completion-1.74.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x"
        },
        "product_reference": "rclone-bash-completion-1.74.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-bash-completion-1.74.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64"
        },
        "product_reference": "rclone-bash-completion-1.74.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-zsh-completion-1.74.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64"
        },
        "product_reference": "rclone-zsh-completion-1.74.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-zsh-completion-1.74.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le"
        },
        "product_reference": "rclone-zsh-completion-1.74.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-zsh-completion-1.74.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x"
        },
        "product_reference": "rclone-zsh-completion-1.74.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-zsh-completion-1.74.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
        },
        "product_reference": "rclone-zsh-completion-1.74.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-27145",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27145"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, \".\") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname\u0027s label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27145",
          "url": "https://www.suse.com/security/cve/CVE-2026-27145"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267450 for CVE-2026-27145",
          "url": "https://bugzilla.suse.com/1267450"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-27145"
    },
    {
      "cve": "CVE-2026-42504",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-42504"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-42504",
          "url": "https://www.suse.com/security/cve/CVE-2026-42504"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267442 for CVE-2026-42504",
          "url": "https://bugzilla.suse.com/1267442"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-42504"
    },
    {
      "cve": "CVE-2026-42507",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-42507"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-42507",
          "url": "https://www.suse.com/security/cve/CVE-2026-42507"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267444 for CVE-2026-42507",
          "url": "https://bugzilla.suse.com/1267444"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-42507"
    },
    {
      "cve": "CVE-2026-49980",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-49980"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-49980",
          "url": "https://www.suse.com/security/cve/CVE-2026-49980"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267869 for CVE-2026-49980",
          "url": "https://bugzilla.suse.com/1267869"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-bash-completion-1.74.3-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.s390x",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.74.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-49980"
    }
  ]
}

CVE-2026-27145 (GCVE-0-2026-27145)

Vulnerability from cvelistv5 – Published: 2026-06-02 22:01 – Updated: 2026-06-04 12:34

Title

Inefficient candidate hostname parsing in crypto/x509

Summary

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/cl/783621
https://go.dev/issue/79694
https://groups.google.com/g/golang-announce/c/tKs…
https://pkg.go.dev/vuln/GO-2026-5037

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.25.11 (semver) Affected: 1.26.0-0 , < 1.26.4 (semver)

Credits

Jakub Ciolek - https://ciolek.dev/

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27145",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-04T12:34:03.859208Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-04T12:34:53.136Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "HostnameError.Error"
            },
            {
              "name": "matchHostnames"
            },
            {
              "name": "Certificate.Verify"
            },
            {
              "name": "Certificate.VerifyHostname"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.4",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev/"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, \".\") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname\u0027s label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T22:01:36.954Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/783621"
        },
        {
          "url": "https://go.dev/issue/79694"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5037"
        }
      ],
      "title": "Inefficient candidate hostname parsing in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27145",
    "datePublished": "2026-06-02T22:01:36.954Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-06-04T12:34:53.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42504 (GCVE-0-2026-42504)

Vulnerability from cvelistv5 – Published: 2026-06-02 22:01 – Updated: 2026-06-03 14:06

Title

Quadratic complexity in WordDecoder.DecodeHeader in mime

Summary

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79217
https://go.dev/cl/774481
https://groups.google.com/g/golang-announce/c/tKs…
https://pkg.go.dev/vuln/GO-2026-5038

Impacted products

1 product

Vendor	Product	Version
Go standard library	mime	Affected: 0 , < 1.25.11 (semver) Affected: 1.26.0-0 , < 1.26.4 (semver)

Credits

p4p3r (https://hackerone.com/p4p3r_hak)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42504",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T14:05:39.682615Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-407",
                "description": "CWE-407 Inefficient Algorithmic Complexity",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T14:06:13.623Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "mime",
          "product": "mime",
          "programRoutines": [
            {
              "name": "WordDecoder.DecodeHeader"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.4",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "p4p3r (https://hackerone.com/p4p3r_hak)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T22:01:37.219Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79217"
        },
        {
          "url": "https://go.dev/cl/774481"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5038"
        }
      ],
      "title": "Quadratic complexity in WordDecoder.DecodeHeader in mime"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-42504",
    "datePublished": "2026-06-02T22:01:37.219Z",
    "dateReserved": "2026-04-28T00:21:12.792Z",
    "dateUpdated": "2026-06-03T14:06:13.623Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42507 (GCVE-0-2026-42507)

Vulnerability from cvelistv5 – Published: 2026-06-02 22:01 – Updated: 2026-06-03 19:04

Title

Arbitrary inputs are included in errors without any escaping in net/textproto

Summary

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-532 - Insertion of Sensitive Information into Log File

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79346
https://go.dev/cl/777060
https://groups.google.com/g/golang-announce/c/tKs…
https://pkg.go.dev/vuln/GO-2026-5039

Impacted products

1 product

Vendor	Product	Version
Go standard library	net/textproto	Affected: 0 , < 1.25.11 (semver) Affected: 1.26.0-0 , < 1.26.4 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42507",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T19:04:08.223332Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T19:04:45.361Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/textproto",
          "product": "net/textproto",
          "programRoutines": [
            {
              "name": "parseCodeLine"
            },
            {
              "name": "Reader.ReadCodeLine"
            },
            {
              "name": "readMIMEHeader"
            },
            {
              "name": "Error.Error"
            },
            {
              "name": "Reader.ReadMIMEHeader"
            },
            {
              "name": "Reader.ReadResponse"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.4",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T22:01:37.307Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79346"
        },
        {
          "url": "https://go.dev/cl/777060"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5039"
        }
      ],
      "title": "Arbitrary inputs are included in errors without any escaping in net/textproto"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-42507",
    "datePublished": "2026-06-02T22:01:37.307Z",
    "dateReserved": "2026-04-28T00:21:12.792Z",
    "dateUpdated": "2026-06-03T19:04:45.361Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2026:10975-1

CVE-2026-27145 (GCVE-0-2026-27145)

CVE-2026-42504 (GCVE-0-2026-42504)

CVE-2026-42507 (GCVE-0-2026-42507)

Tags

Sightings

Nomenclature