net/mail: ParseAddress: quadratic complexity in consumeComment

[neild]

net.mail.ParseAddress constructs a string through repeated concatenation, potentially leading to excessive CPU consumption when parsing addresses with very long comments.

This was fixed in https://go.dev/cl/759940.

This is the same issue (in the same code, no less) as #75680, which was a PRIVATE track security fix. This has already leaked, therefore it is de facto PUBLIC track.

This is CVE-2026-39820.

[neild]

@gopherbot please open backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #78567 (for 1.25), #78568 (for 1.26).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/763558 mentions this issue: [release-branch.go1.25] net/mail: fix quadratic complexity in consumeComment

[gopherbot]

Change https://go.dev/cl/763800 mentions this issue: [release-branch.go1.26] net/mail: fix quadratic complexity in consumeComment

[gabyhelp]

Related Issues

• net/mail: excessive CPU consumption in ParseAddress (CVE-2025-61725) #75680 (closed)
• encoding/pem: quadratic complexity when parsing some invalid inputs (CVE-2025-61723) #75676 (closed)
• net/textproto: excessive CPU consumption in Reader.ReadResponse (CVE-2025-61724) #75716 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}