Vulnerability Summary Overview CVE ID: CVE-2026-42499 Description: The function in the package contains quadratic-complexity string concatenation when processing maliciously crafted email addresses, potentially leading to a Denial of Service (DoS). Trigger Conditions: Occurs when parsing email addresses compliant with RFC 5322, specifically when the phrase portion of the input is maliciously crafted. Related Issues: - : ParseAddress quadratic complexity (consumeComment #78566) - : High CPU consumption in ParseAddress (CVE-2023-61725, #75680) Impact Scope Affected Component: Go standard library Affected Versions: Specific versions are not explicitly listed, but the fix has been submitted to multiple branches (master, go1.25, go1.26) Risk Level: Security Remediation Fix Status: Closed, closed by 18 minutes ago. Fix Commits: - Main branch: - Go 1.25 branch: - Go 1.26 branch: Patch Details: Fixes the quadratic string concatenation behavior in to prevent CPU resource exhaustion. Next Steps: - Cherry-pick CLs have been created for release. - Related backport issues: #79003 (go1.25), #79004 (go1.26) - Other related fixes: The package's also suffers from quadratic complexity (#79217) > Note: No POC code or exploit code snippets were provided on the page.