Security readout for executives and security teams
Plain-English summary
CVE-2026-42504 is a denial-of-service issue in Go's standard library MIME header decoder. A malicious MIME header with many invalid encoded-words can force excessive CPU work, potentially slowing or exhausting services that decode untrusted headers.
Executive priority
Treat as high priority for internet-facing Go services that parse MIME headers. The impact is availability, not data theft, but unauthenticated CPU exhaustion can still disrupt customer-facing systems.
Technical view
The issue is quadratic complexity in mime.WordDecoder.DecodeHeader. Network-reachable services that pass attacker-controlled MIME headers into this decoder may be exposed to CPU exhaustion. The source bundle lists high severity, CVSS 7.5, CWE-407, and affected Go standard library mime versions 0 to 1.26.0-0.
Likely exposure
Most likely exposure is Go applications or services that parse untrusted MIME-style headers using the standard library mime package, especially inbound mail, API, upload, or message-processing paths. Product-specific exposure is not identified in the provided sources.
Exploitation context
The bundle does not report CISA KEV listing or active exploitation. The described condition is remotely triggerable with low complexity and no authentication, but the provided sources do not give evidence of real-world exploitation.
Researcher notes
Evidence is limited to the supplied CVE, Go issue, Go change, Go announcement, and Go advisory references. Do not assume affected downstream products, exploit availability, or exact fixed versions beyond vendor-published guidance.
Mitigation direction
Check the Go advisory and release announcement for fixed versions.
Update affected Go toolchains or runtimes according to vendor guidance.
Prioritize services that decode externally supplied MIME headers.
Apply input size and request CPU controls where feasible.
Monitor header-parsing endpoints for abnormal CPU spikes.
Validation and detection
Inventory Go services and their build or runtime versions.
Search code for use of mime.WordDecoder.DecodeHeader.
Map whether decoded headers can be attacker-controlled.
Confirm remediation against the Go vulnerability advisory.
Retest representative MIME header handling after updating.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-407: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-407 · source CWE mapping
Inefficient Algorithmic Complexity
Inefficient Algorithmic Complexity represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.